A news story found its way onto Irish media outlets yesterday, notifying that anyone who signed up to the HSE’s covid 19 vaccine portal, accidentally had access to everyone else’s information.
The accessible information included names, addresses, PPS numbers, vaccination type and batch numbers.
Significantly, the HSE did not consider this something that warranted a ‘Personal Data Breach report’ so the Data Protection Commission was not notified.
The news item, first published on CyberNews.com contains the following paragraphs:
“In December 2021, Aaron Costello, security researcher and principal SaaS security engineer at SaaS security vendor AppOmni, discovered a misconfiguration in HSE’s COVID Vaccination Portal, inadvertently leaking the private information of more than a million Irish citizens, including their full names, vaccination status, the type of vaccine received and more.
“According to his report, the leak also compromised HSE documents containing information about internal IT issues and processes and documents belonging to staff members.”
The article doesn’t say who Mr Costello was working for at the time of his discovery, but it does state that once he reported his findings to the HSE, he then provided assistance to the HSE in ‘fixing the misconfiguration.’
“After investigation by the HSE, they fortunately did not find any evidence that any information was accessed by unauthorized individuals with malicious intent,” Costello said.
Neither side disclosed the incident to the public until now.”
While CyberNews describes the leak as a ‘massive data leak’, Breaking News describes it as a ‘computer glitch’ that left the data of up to one million people vulnerable.
These were people who used the HSE’s covid vaccination portal to schedule covid vaccine appointments and issue consent.
Among them, was Joseph McGinty’s mother Patricia McGinty. Joseph McGinty (14) collapsed and died on September 13 2021. He received his Pfizer vaccine on August 20.
At the inquest into his death in Co Mayo last year, it emerged that his vaccine record had been accessed and tampered with. The issue was raised with two separate witnesses by the family’s barrister.
The first change made to Joseph’s Covax file occurred on Feb 10 2022 at 3.08am and the file was accessed again on November 28 2022 at 6.10am. The family’s barrister said the timing of the changes coincided with Coroner Pat O’Connor contacting Pfizer in relation to the child’s death, notifying his intention to investigate a suspected possible link between the death and the child’s covid 19 vaccination.
Significantly, neither the manager of the vaccination centre where Joseph was vaccinated, nor Pfizer’s witness, Dr Gillian Ellsbury, could provide answers for the McGinty family or the coroner.
However, it now appears that the HSE had access to this information.
The inquest, on July 19 2023, heard evidence from Frank Harburn, former General Manager of the Saolta regional vaccination programme, who outlined the process involved of registering a child for a covid 19 vaccine through the national Registration Portal.
Mr Michael O’Connor SC for the family, asked Mr Harburn about the changes made to the Covax system in relation to Joseph McGinty’s vaccination record.
“Can you explain to me the changes made on Feb 10 2022?” Mr O’Connor asked.
“I assume these were changes made to the national system. It’s a national system it is hosted and managed by the HSE,” Mr Harburn said.
“That change occurred at 3.08am. It’s an unusual entry,” Mr O’Connor said.
“I don’t know why that change occurred,” Mr Harburn replied.
Mr O’Connor said on November 28 2022 there was another change made. Mr Harburn said he wasn’t sure why the change was made.
“I don’t know why it was changed to non-applicable.”
“Who in your organisation would know that?” Mr O’Connor asked.
“Whoever updated it. I wasn’t there on the day,” Mr Harburn said.
Similarly, Pfizer’s Vaccine’s Director, Dr Gillian Ellsbury was unable to answer the questions put to her regarding changes made to Joseph’s record on the CoVax system.
Mr O’Connor SC instructed by solicitor Rita Kilroy of Lavelle Bourke Solicitors, put it to Dr Ellsbury that the timing of the changes made to Joseph’s file coincided with Pfizer’s becoming aware of the case.
“There were witnesses here yesterday from the operators of the vaccine and neither were able to explain why changes had been made to the system.
“Are you able to help us with that Dr Ellsbury? It’s a system called Salesforce that was operated by the immunisation team in Ireland under the HSE,” Mr O’Connor SC said.
“I’m curious that one of those changes was made shortly before the Coroner was written to and I’m wondering if Pfizer wrote to the HSE and looked for information about this case, that might have caused that change?”
“That’s not a system we have access to and I’m not aware of anybody contacting it,” Dr Ellsbury said.
“Neither can you out rule it, you don’t know,” Mr O’Connor SC said.
“What I am asking is, if Pfizer had contacted the HSE looking for information on this particular case and his vaccination records in November 2022, around the same time that Pfizer wrote to the Coroner?”
“I don’t know the answer,” Dr Ellsbury said.
In response to the news that the personal data of almost one million was open to anyone that registered on the system, the HSE confirmed that if the data had been accessed, they would be able to see this information in its analysis. Breaking News reported the following:
“If someone accessed data, we would be able to see this in the detailed logs which we analysed,” the HSE said in a statement.
The security breach news item has been published across multiple media platforms including the Irish Medical Times, RTE, Irish Independent, Irish Times, Journal.ie and others.
This surely begs the question, since ‘neither side disclosed the incident to the public until now’ - why now?
And if the Mr Costello and the HSE can conclude that the ‘glitch’ resulted in no unauthorised access by anyone ‘with malicious intent,’ either or both parties can surely answer the questions posed by the McGinty family’s barrister?
*Read the CyberNews article here
**Read “Who tampered with Joseph’s vaccine record?” (paywall removed) below:
Warm thanks to those that continue to support my work, it is much appreciated.
This whole episode stinks to high heaven. And, I don't believe for one second that it's down to incompetence. I wonder if the HSE cyber attack in 2021 was down to the default "Russian Hackers" at all?
Fair play Louise, keep it lit.
Another good reason why one would be thankful to have never gone near the 'Britney Spears Concert' as it has rather eloquently been termed!