The QMI agency has learned that a data leak was recently discovered at the Clic Santé site that Quebeckers use for their COVID-19 vaccination appointments.
• Read also: First teen vaccinated against COVID-19 in Quebec
• Read also: Vaccine in 12–17 year olds: two doses before August; And likely to prom
• Read also: Snowbirds may receive recognition for their vaccinations abroad
It was a member of the Hackfest community (an annual cybersecurity event) that unveiled the breach on the organization’s Discord server on the evening of May 13, used to communicate between Internet users interested in cyber security and other topics An application with.
The person behind this revelation, who requested anonymity, discovered this vulnerability while searching the Clic Santé site. He felt that it is possible to download documents related to appointments for COVID-19 vaccination. These documents were accessible without the need to authenticate themselves.
Sam Harper / Agency QMI
We were able to confirm this information by the Ministry of Health and Social Services (MSSS).
«[U]A file containing some information on appointments, including health insurance numbers, to immunization centers in Quebec by MSSS has been exceptionally operational, ”explained MSSS spokesperson Noemi Vanheuwerzwijn.
He said that these documents were divided by regions and were used to “check for duplicates that had to be canceled”.
On one of these documents, we also noted the date, time and place of vaccination in addition to the health insurance number. Cross checking will identify some people.
The information was stored “on a collaborative environment related to the supplier used for consultation purposes for vaccination centers in Quebec”, Ms. Vanheuwerzwijn said.
The supplier, Trimoz Technologies, did not respond to our requests for information.
The ministry was reportedly made aware of the situation soon. Until the next morning, it was not possible to access the documents.
Ms Vanheuwerzvision explained that “it is a human error, forgetting to delete a file after transferring information to areas”. According to the spokesperson, “no other security breach has been detected.”
Although no harm appears to have been caused by the incident, the ministry has decided to change the way communication is conducted with vaccination centers. “A secure channel on the MSSS platform and shared here [réseau de la Santé et des Services sociaux] On safe government infrastructure […] To ensure the transfer is already installed. From now on, any transfer will have to use this channel, even if the data is not considered sensitive, ”the spokesperson said.
Following the incident, Hackfest co-founder Patrick Matthews wrote a message on the organization’s Exchange platform to “thank the members of the community for their contribution in making the application more secure”.
Although these documents did not name the person who took the appointment, the health insurance number provides:
– date of birth,
– First three letters of surname,
– First letter of first name.
By cross-checking this data with information available on geographical location and social networks, it would be possible to identify some of these individuals.