A flaw on a site that transmits Covid test results carried out in pharmacies to the French government platform has made the personal data and test results of 700,000 people accessible on the Web, according to an article published Tuesday by Mediapart news website.
The surnames, first names, dates of birth, addresses, telephone numbers, social security numbers and e-mail addresses, as well as the test results of 700,000 people were available until Friday thanks to – or because of – “a password that can be found, in clear text, in a file accessible to all” on the Francetest site, Mediapart writes.
The SI-DEP (screening information system) is a secure platform where Covid-19 test results are systematically recorded in order to “ensure that all positive cases are properly managed” and to identify contact cases, explains the French health minister Olivier Véran on its website.
This platform, “manufactured by the AP-HP (Assistance publique-Hôpitaux de Paris) in December […] is not very ergonomic”, explains Philippe Besset, president of the French pharmacists union (Fédération des syndicats pharmaceutiques de France – FSPF).
As a result, many pharmacists are using intermediaries to enter the results of tests carried out in the SI-DEP. Francetest charges one euro per transmission, according to Mediapart.
On Sunday, the Directorate General for Health (DGS) sent an email to pharmacists reminding them of the approved software compatible with the SI-DEP, of which Francetest is not a part.
“We have been alerting the authorities for weeks and weeks about these companies that present themselves as labelled and make it easier for pharmacists to access the SI-DEP,” said Philippe Besset.
“We absolutely need the authorities to provide us with a tool that allows us to transmit data to the SI-DEP with our business software, which is secure and approved,” he insisted, pointing out that even software authorised by the DGS was not sufficiently secure.
A statement published on Francetest website on Tuesday explains that “There is no evidence to date that any personal information of patients or pharmacists has been leaked. At this stage, we consider this to be only a warning of an existing vulnerability which we addressed immediately upon learning of it.”
They add that “No backups of patient data were stored on the Google Cloud service. Only a daily backup of the application data was made.”