The Health Service Executive (HSE) in Ireland has acknowledged a significant IT glitch that compromised the vaccination details of more than one million individuals. This incident stemmed from a misconfiguration in a Covid-related database in December 2021, leaving sensitive information vulnerable to potential exploitation. Despite the breach, the HSE assured that no personal data was accessed by hackers or malicious entities, though the breach was not reported to the Data Protection Commissioner (DPC) at the time.
The DPC became aware of the data lapse this week through the Irish Independent’s report and is now examining the matter. If deemed a data breach, it could prompt an investigation into the incident and why a breach notice was not issued. The vulnerability was initially detected by an external security researcher, Aaron Costello, who found that third parties could access personal information about vaccinated citizens, as well as internal HSE documents.
Although the HSE promptly addressed the IT glitch upon being informed by Costello, the duration of the vulnerability’s existence remains undisclosed. This incident follows closely on the heels of a previous IT security attack on the HSE, which resulted in significant disruptions to the national healthcare system and underscored the need for enhanced cybersecurity measures. The HSE attributed the security lapse to time constraints in establishing Ireland’s “Covax” Covid-19 registration database, highlighting the challenges faced in maintaining robust cybersecurity infrastructure amidst evolving threats.
