Protected health information and personal details of over a million Irish citizens were accidently exposed by the Ireland’s Health Service Executive (HSE) during the COVID pandemic, according to an AppOmni security researcher.
This information included individuals’ vaccine status and type received, which could have been accessed by anyone who registered to the HSE COVID Vaccination Portal before the end of 2021.
The misconfiguration in the portal also made internal HSE documents publicly available, Aaron Costello, Principal SaaS Security Engineer at AppOmni, revealed in a blog dated March 14, 2024.
The exposed health and personal information included:
- Full name
- Vaccination appointment date (past / present / future)
- Vaccination appointment location
- Vaccination administration site (How the vaccine was injected)
- Reason for administering vaccine
- Reason for refusal of vaccine administration
- Vaccine type (brand/lot (Batch) number/dose
Costello discovered the issue in December 2021, and HSE confirmed to him it had been fixed on January 17, 2022.
There is no evidence that the information was accessed by any unauthorized individuals with malicious intent.
Costello explained that he has decided to make the issue public to help educate organizations on the risks of handling sensitive data in SaaS applications.
How Irish Citizens’ Health Data Was Exposed
The HSE vaccination portal was created during the COVID-19 crisis to enable Irish citizens to quickly book vaccine appointments, with users signing up through a self-registration form.
The portal was built on top of the Salesforce platform, in what is known as a ‘Digital Community.’ These communities are configured to grant all registered individuals a specific profile, which gives them permissions to perform actions on the portal’s user interface, such as register for a vaccination or view their appointment details.
However, the profile permissions were accidently configured by HSE to grant users’ access to the Health Cloud object that stored information about other registrants – including their vaccination status.
Users were also granted excessive privileges that could enable them to access a folder containing internal HSE documents.
Most users would not have realized they had this level of access because the portal is specifically designed to only show the individuals’ data, Costello noted.
However, a malicious actor could have exploited the misconfiguration to access and exfiltrate the sensitive information about individuals and HSE.
Costello explained this could have been achieved by simply registering to the Vaccination Portal to be automatically assigned the over-privileged Salesforce profile, then viewing all objects that existed within the Salesforce platform through the API, including those in the Health Cloud application.
From there, a malicious actor could iterate over the list of available objects and attempt to access and download the data within them.
“This would have allowed the malicious individual to access both internal HSE documentation, and all vaccine administration records for over a million individuals,” Costello explained.
The Irish Times quoted a HSE spokesperson who confirmed the misconfiguration had occurred, and said it was remediated the day it was alerted to the issue.
It highlighted the “time pressure” of the COVID-19 vaccination program as the cause for the accidental exposure, but reiterated that there was no evidence that a malicious actor accessed the data.
How to Mitigate the Risk of Misconfigurations on Salesforce
Costello set out the best practices for organizations that have publicly facing content on the Salesforce platform to take to avoid the risk of data exposure:
- Establish the principle of least privilege for internal and external users
- Perform regular permission model reviews of access-granting elements within Salesforce
- Implement classifications on sensitive data stored on the platform
- Monitor logs provided by Salesforce to detect data exfiltration attempts
- Regularly audit the platform’s configuration, including access control
Costello acknowledged that these actions would have been “exceptionally difficult” for HSE to manually implement amid the rush to manage the rapid vaccination rollout across the country during the pandemic.
Image credit: Lukassec / Shutterstock.com