A data breach involving an online platform used to transfer data from antigen tests performed in pharmacies to the government platform SI-DEP released 700,000 covid test results, along with personal information.
The Francetest platform was alerted to the bug in its system by the online investigation journal Mediapart and it was corrected on the night of August 27.
In the meantime, surnames, first names, genders, dates of birth, social security numbers, contact details (including email address, telephone number and postal address) and test results were “accessible to all with a few clicks”, Mediapart noted.
A fortuitous discovery
The issue with the website was discovered when a computer literate patient attempted to retrieve his test results using the link provided by his pharmacist.
Looking at the URL, she was surprised to find the open source WordPress content management system used to manage sensitive data.
She then realized that she could access files with patient information through the URL tree and even create an account without being a pharmacist.
External controls required
On Sunday, the Directorate General of Health (DGS) sent a reminder email to pharmacists concerning the approved software compatible with SI-DEP, which does not include Francetest.
The cybersecurity expert Gérôme Billois believes that an external and independent control is necessary to guarantee that certain levels of security can be maintained on these sites.
“When you go to a website, it is extremely difficult to know whether it is reliable or not. You still see the words 100% secure. The general public cannot verify this, ”he said. franceinfo.
“This is why there are several regulatory proposals aimed at imposing a minimum level of safety and a label, such as the CE label.
“We need to gain more and more external recognition, independent of those who created these websites,” he added.