NHS breach, HSE bug expose healthcare data in the British Isles

This week, a division of the National Health Service (NHS) Scotland was struck by a cyberattack, potentially disrupting services and exposing patient and employee data. Meanwhile, a researcher disclosed a Salesforce configuration error that exposed millions of Irish citizens’ COVID vaccination data from that country’s Health Service Executive (HSE).

The two incidents, separated by a quick hop over the Irish Sea, speak to the ongoing challenges healthcare organizations face in protecting patients’ most sensitive personal identifiable information (PII) and personal health information (PHI).

Salesforce Bug in Ireland’s COVID Vaccination Portal

During the onset of COVID’s Omicron variant in December 2021, Aaron Costello, principal SaaS security engineer at AppOmni, discovered a severe misconfiguration in the Salesforce-based online vaccination portal for Ireland’s HSE.

In a blog post published on March 14, he explained how an oversight allowed regular, low-level accounts belonging to HSE patients unprecedented access to the part of the system responsible for storing information about vaccine administration.

The exposed object in question included full names of patients and all information relating to their jabs: the brand of vaccine, date, location, and site at which it was administered, and any reasons they accepted or refused it.

Documents belonging to staff members, and information related to internal IT issues and processes, were also exposed.

“For Salesforce administrators and security practitioners on SaaS platforms, there was a lack of understanding of the implications of misconfigured permissions,” Costello tells Dark Reading. “They weren’t acutely aware that these things are possible — that a low-privileged user could be pulling this data.”

To read the complete article, visit Dark Reading.