A data leak was recently discovered on the Clic Santé site that Quebecers use to make their COVID-19 vaccination appointments, the QMI Agency has learned.
It was a member of the Hackfest community (an annual cybersecurity event) who unveiled this breach on the evening of May 13 on the organization’s Discord server, an application used to communicate between Internet users interested in cybersecurity and other subjects. related.
The individual behind this revelation, who requested anonymity, discovered this vulnerability while exploring the Clic Santé site. He realized that it was possible to download documents relating to appointments for the COVID-19 vaccination. These documents were accessible without his needing to authenticate himself.
Photo AGENCE QMI, Sam Harper
–
–
–
We were able to have this information confirmed by the Ministry of Health and Social Services (MSSS).
«[U]A file containing certain information on appointments, including the health insurance number, has been exceptionally circulated by the MSSS to vaccination centers in Quebec, ”explained Noémie Vanheuverzwijn, spokesperson for the MSSS.
These documents were divided by regions and were used to “check for duplicates that had to be canceled,” she added.
On one of these documents of which we obtained a copy, we also noted the dates, times and places of vaccination, in addition to health insurance numbers. By making cross-checks, it would be possible to identify certain people.
This information was stored “on a collaborative environment belonging to the supplier used for consultation purposes for vaccination centers in Quebec,” said Ms. Vanheuverzwijn.
The supplier, Trimoz Technologies, did not respond to our requests for information.
The ministry was reportedly quickly made aware of the situation. By the next morning, it was no longer possible to access the documents.
Ms Vanheuverzwijn explained that “it is a human error, forgetting to delete the file after the information has been transferred to the regions”. According to the spokesperson, “no other security breach has been detected”.
Although no harm appears to have been caused by this incident, the ministry has decided to change the way it communicates with vaccination centers. “A secure channel on an MSSS platform and shared at [réseau de la Santé et des Services sociaux] on secure government infrastructure […] has already been set up to ensure a transfer. From now on, any transfer will have to use this channel even if the data is not considered sensitive, ”said the spokesperson.
Following this event, a co-founder of Hackfest, Patrick Mathieu, wrote a message on the organization’s exchange platform to “thank the members of the community for their contribution to making the application more secure”.
What can you find out using a health insurance number?
Although these documents did not contain the name of the person who made an appointment, the health insurance number provides:
- the birth date,
- sex,
- the first three letters of the last name,
- the first letter of the first name.
By cross-checking this data with the geographic location and information available on social networks, it would be possible to identify some of these individuals.
–
