Following a report by a private individual, the Federal Data Protection and Information Commissioner (FDPIC) conducted a fact-finding procedure in relation to an insufficiently protected database of private COVID-19 test centres. In the final report published today, the FDPIC concluded that the health data processed in the database were exposed to significant security risks due to the reported vulnerability. However, since, upon learning of this vulnerability, those responsible reacted immediately with appropriate measures, the risk to those concerned was minimised. Therefore, the procedure was concluded without recommendations.
In November 2022, a private individual reported to the FDPIC and the National Cyber Security Centre (NCSC) a flaw in the access control of a database in which health data from private COVID-19 test centres in different regions of Switzerland were stored. Due to a vulnerability in the web server, the private individual gained access to the database and was able to download a copy of the data processed there. On the day of the report, those responsible removed the database from the server and transferred it to an encrypted physical data carrier.
Within the framework of the fact-finding procedure that he initiated following the report received and the initial investigations carried out on the basis of it, the FDPIC found various shortcomings in data security. On the basis of the access logs, the doctor in charge of the test centres was able to prove that no unauthorised person had accessed the data. The immediate measures taken also excluded any further risk for the data subjects. In view of these considerations and the fact that the activity of the COVID-19 test centres had already been suspended before the vulnerability became known, the procedure was concluded without the FDPIC making any recommendations.
Due to the international component of the system, the FDPIC exchanged information with various authorities within the framework of an administrative assistance procedure, in particular with the data protection authorities of Austria and the Principality of Liechtenstein.
On the one hand, the case illustrates the risks associated with the vulnerability of a database. On the other hand, the taking of immediate measures and the recording of access to the database made it possible to exclude further risks for those concerned.
https://www.edoeb.admin.ch/edoeb/it/home/kurzmeldungen/nsb_mm.msg-id-94662.html