Data breakdown at the Corona test center

Getting tested for infection with the Covid 19 virus is becoming almost commonplace for more and more people. In many places, testing centers have been set up where this can be done quickly and usually even free of charge.

In most cases, visitors receive an access code at the end, which they can use to view their test result online or print out a confirmation after a certain time has elapsed. In many places, these are requested before entering certain shopping stores, for example. So there is hardly any way around going to a test center and providing your personal data there.

The online presence of some test centers now repeatedly experienced IT glitches in which data of tested persons was available to everyone. This involved not only personal data such as name, date of birth, address and telephone number, but also the respective test results, which as health data fall under the special protection of Art. 9 I DSGVO.

Current examples

Not only in March 2021 was it discovered by security researchers that Corona test centers in Germany and Austria were inadequately protected (here the name, address, date of birth, citizenship, Corona test result and, in some cases, ID data of more than 80,000 people were openly accessible), but even more recently it was possible to view corresponding data of more than 14,000 tested persons from centers in Hamburg, Berlin, Leipzig and Schwerte.

So the problem is still relevant.

Reasons for the data mishaps

But where exactly were the errors that made such data mishaps possible in the first place?

At more than 100 test centers, interfaces of the websites and web applications through which customers can register for a test and retrieve their result were available unprotected. Not only were these interfaces at the affected test centers inadequately secured, but even amateur computer users were able to view the results and other personal data of other customers by changing the last digit of their assigned customer ID number to view their results. To prevent this, so-called UUIDs and complex hash values (results) can be used in programming.

In addition, it is said to have been possible to view online, in part via each customer account, in which test center who was being tested and when, and what the result was.

Consequences

Fines were imposed on the individual operators, as also provided for by the GDPR. However, voices were quickly raised that the authorities lacked the necessary severity in taking action against such data breaches.

The affected operators, who were required to report these data breaches, testified that the vulnerabilities have since been fixed.

But it is foreseeable that with regard to the volumes of data collected in connection with Corona, further digitization deficiencies will be revealed in the future.