The protected health information and personal data of more than a million Irish citizens was accidentally exposed by the Irish Health Service Executive (HSE) during the COVID pandemic, according to an AppOmni security researcher.
This information included the vaccination status of individuals and the type received, which anyone registered with the HSE COVID vaccination portal would have been able to access before the end of 2021.
The portal’s misconfiguration also made internal HSE documents publicly available, Aaron Costello, senior SaaS security engineer at AppOmni, revealed in a blog post dated March 14, 2024.
The health and personal information exposed included:
- First and last name
- Vaccination appointment date (past/present/future)
- Vaccination appointment location
- Vaccination administration site (How the vaccine was injected)
- Reason for administering the vaccine
- Reason for refusing vaccine administration
- Vaccine type (brand/lot number (batch)/dose)
Costello discovered the issue in December 2021 and HSE confirmed to him that it had been resolved on January 17, 2022.
There is no evidence that unauthorized persons with malicious intent accessed the information.
Costello explained that he decided to make the issue public to help educate organizations about the risks of handling sensitive data in SaaS applications.
How Irish citizens’ health data was exposed
The HSE Vaccination Portal was created during the COVID-19 crisis to enable Irish citizens to quickly book vaccine appointments, with users registering via a self-registration form.
The portal was built on the Salesforce platform, in what is called a “digital community”. These communities are configured to grant all registered individuals a specific profile, which gives them permission to perform actions on the portal user interface, such as registering for a vaccination or viewing their appointment details .
However, the profile permissions were accidentally configured by HSE to grant users access to the Health Cloud object which stored information about other registrants, including their vaccination status.
Users were also granted excessive privileges that could allow them to access a folder containing internal HSE documents.
Most users wouldn’t have realized they had this level of access because the portal is specifically designed to display only individuals’ data, Costello noted.
However, a malicious actor could have exploited the misconfiguration to access and exfiltrate sensitive information about individuals and the HSE.
Costello explained that this could have been achieved by simply registering on the vaccination portal to automatically be assigned the overprivileged Salesforce profile, and then viewing all objects that existed within the Salesforce platform via the API, including those in the Health Cloud application.
From there, a malicious actor could browse the list of available objects and attempt to access and download the data within them.
“This would have allowed the attacker to access both internal HSE documentation and all vaccine administration records for over a million people,” Costello explained.
THE Irish Times cited an HSE spokesperson who confirmed the misconfiguration had occurred and said it was corrected the day he was alerted to the problem.
He highlighted the “time pressure” of the COVID-19 vaccination program as the cause of the accidental exposure, but reiterated that there was no evidence a malicious actor accessed the data.
How to mitigate the risk of misconfigurations on Salesforce
Costello go plan Best practices that organizations that have publicly available content on the Salesforce platform should adopt to avoid the risk of data exposure:
- Establish the principle of least privilege for internal and external users
- Perform regular reviews of the access grant item authorization model in Salesforce
- Implement classifications on sensitive data stored on the platform
- Monitor Salesforce-provided logs for data exfiltration attempts
- Regularly audit platform configuration, including access control
Costello acknowledged that these actions would have been “exceptionally difficult” for the HSE to implement manually, amid a rush to manage the rapid vaccination rollout across the country during the pandemic.
Image credit: Lukassec/Shutterstock.com