Computer incident leads to mistaken disclosure of infected status of patients at CoVid-19
The case begins when an individual of French nationality mistakenly receives an e-mail that was not intended for him.
The mail in question contained sensitive information about other people. When asked about this issue, Health Insurance assured that this incident is totally isolated and unprecedented. The Agency mentioned the fact that it is constantly developing computer tools to ensure that this kind of thing does not happen. However, the incident highlighted a notable failure of the electronic transaction security process. Especially with regard to the monitoring and protection of the identities of those affected by Covid-19.
This article will also interest you: A tool to fight security vulnerabilities affecting industrial robots
We remember that on September 14, a French citizen named Antoine reported a rather surprising data leak. It receives an email in a secure space a PDF document. These documents contained information from 3 people with CoVid-19.
The most embarrassing thing about this story is that the documents he receives contain very detailed information about the identity of the people. These include information such as names and surnames, geographical addresses, social security numbers. With the mention that these people were affected by Covid-19. The legitimate question arises in this context of what happened and how this data may have landed in the individual's secure space.
"The mail, received after being declared positive to Covid-19, contains the insured's first name, name, address and social security number. Antoine received three that were not intended for him," the online media outlet Numerama reports. 5 minutes after being notified of the incident, the institution automatically responded. Health insurance has said that it has even launched an internal investigation to find out where the problem came from. She reacted just the next day with an email that noted: "The incident is not due to a computer security breach in the Amélie account or the Health Insurance computer system, but to an agent's improper handling when loading the mail intended for the insured. This is by no means a widespread or frequent problem. ».She later added that she was going to contact the three people whose data was leaked in error. That if she took a long time to inform them of the problem, it was because the error would not have been quickly noticed. "Your reporting naturally leads us to implement all of the obligations under the General Data Protection Regulations in the interest of protecting the rights of the individuals concerned. ». The notification to victims of data leaks is worth noting, a requirement provided for by the general regulation of European personal data. He also demanded that he be provided with the CNIL
The error certainly comes from the fact that Antoine, the citizen who received the information, had also taken a laboratory test in order to know his status against the CoVid-19. The latter having been in close contact with people tested positive for CoVid-19. Obviously his test I also positive. So he receives a call from the CoVid-19 brigade, a section of Medicare, with the aim of advising on the conduct to be held as well as the people with whom he may have been in contact, the people who rubbed shoulders with him during the 5 days prior to his test. Two days later, in a reminder letter of compliance with the barrier measures, Medicare made the mistake of attaching other documents not belonging to the citizen to the latter mail. "Given the sensitivity of the data being manipulated, the mere possibility that a single person's error could lead to this kind of incident should not exist. Here, an operator probably forgot to open a different PDF file for each mail, and mistakenly grouped them together, without realizing it. This would mean that this process of sending e-mail is not automated, whereas the document is the same for everyone — so it could be a fairly simple technical procedure to put in place to limit the risk of human error," says Numérama.
This case will be particularly anecdotal. While it is serious because such sensitive data may have been transmitted to individuals other than the actual holders, the impact was quite less and easily manageable. The most important thing is to find a way to prevent this from happening again. For this reason the health insurance assures: "The possibility of such an incident has already been identified. To remedy this, a technical solution is being developed so that this type of anomaly does not happen again. ».
Now access an unlimited number of passwords: