The NCCC under the NSDC of Ukraine detected a leak of personal medical data in one of the largest clinics in Dnipro

The National Coordination Center for Cybersecurity under the National Security and Defense Council of Ukraine during the monitoring of cyberspace detected a leak of information from one of the largest private clinics in the city of Dnipro.

The information that became publicly available includes personal data of employees and clients of this clinic, in particular name, date of birth, address, telephone, e-mail, diagnoses, medical card data (which is a medical secret), including test results, diagnoses, information about the disease, the results of PCR tests, lists of patients with COVID-19.

Analysis of the leakage showed that tens of thousands of patient records became freely available. According to the results of the study, it was established that the leak happened due to configuration errors in the information systems and databases of the medical institution, which had access to the Internet. It should be noted that free access to databases allowed not only the theft of personal information but also unauthorized changes, including modification of prescriptions, results of tests and examinations, editing records in the protocol “Provision of medical care for the treatment of coronavirus disease (COVID-19)”.

Since the leak had been detected, the clinic was passive in responding to the NCCC reports of leaks and vulnerabilities and made no effort to address them. Data on private clinic clients were freely available for quite a long time.

The NCCC experts emphasize that the Ministry of Health implements the eHealth electronic system in compliance with the requirements of personal data protection legislation, but some businesses neglect security measures to protect customers’ personal data, in particular, due to incomplete understanding of legal standards and requirements, which provide for the obligatory adherence to the rules for saving data from hacking and leakage.

The NCCC under the NSDC of Ukraine warned the medical institution about the need to eliminate the vulnerability and reminded that careless attitude to the preservation of clients’ personal data is a reason for law enforcement agencies to bring the management of a private clinic to justice.