Category: COVID-19-Virus

Names of unvaccinated employees revealed in Canada

23. September 2021

The Ottawa Hospital’s human resources office admitted a data breach caused by a mass email revealing the identities of unvaccinated staff members, CTV News Ottawa reported. The system-generated email was sent on September 8th to employees who had declined the COVID-19 vaccination, making their email addresses inadvertently visible in the recipient section.

The reason for sending the email was the hospital’s expectation that every member would get vaccinated to ensure the safety of the community. To achieve this, education was also to be provided to unvaccinated employees. They were to be invited via email to attend a respective education session.

The hospital already apologized to the affected employees and made efforts to resolve the issue. The contacted IT services immediately recalled the emails, removed it from all inboxes and deleted the copies. Moreover, all those who forwarded the email to personal accounts were asked to delete it. Following an investigation by the hospital’s privacy office, a report to the Information and Privacy Commissioner of Ontario has been made as well.

Allegedly, this data breach involved 391 employees whose names were disclosed. However, the number was not officially confirmed by the hospital.

Conclusively, the hospital said in a statement explaining the case:

Health-care workers have worked tirelessly to protect our communities throughout the pandemic, and they deserve protection and support to enable them to do their jobs safely, and to the best of their abilities.

No obligation to disclose vaccination certificates at events in Poland

7. July 2021

According to recent announcements, the Polish Personal Data Protection Office (UODO) has indicated that vaccinated individuals participating in certain events cannot be required to disclose evidence of vaccination against COVID-19.

In Poland, one of the regulations governing the procedures related to the prevention of the spread of coronavirus is the Decree of the Council of Ministers of May 6th, 2021 on the establishment of certain restrictions, orders and prohibitions in connection with the occurrence of an epidemic state. Among other things, it sets limits on the number of people who can attend various events which are defined by Sec. 26 para. 14 point 2, para. 15 points 2, 3. The aforementioned provisions concern events and meetings for up to 25 people that take place outdoors or in the premises/building indicated as the host’s place of residence or stay as well as events and meetings for up to 50 people that take place outdoors or in the premises/separate food court of a salesroom. Pursuant to Sec. 26 para. 16, the stated number of people does not include those vaccinated against COVID-19.

In this context the question has arisen how the information about the vaccination can be obtained. As this detail is considered health data which constitutes a special category of personal data referred to in Art. 9 para. 1 GDPR, its processing is subject to stricter protection and permissible if at least one of the conditions specified in para. 2 is met. This is, according to Art. 9 para. 2 lit. i GDPR, especially the case if the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.

The provisions of the Decree do not regulate the opportunity of requiring the participants in the mentioned events to provide information on their vaccination against COVID-19. Hence, it is not specified who may verify the evidence of vaccination, under what conditions and in what manner. Moreover, “specific measures to safeguard” as referred to in Art. 9 para. 2 lit. i GDPR, cited above, are not provided as well. Therefore, the regulations of the Decree cannot be seen as a legal basis authorizing entities obliged to comply with this limit of persons to obtain such data. Consequently, the data subjects are not obliged to provide it.

Because of this, collection of vaccination information can only be seen as legitimate if the data subject consents to the data submission, as the requirement of Art. 9 para. 2 lit. a GDPR will be fulfilled. Notably, the conditions for obtaining consent set out in Art. 4 para. 11 and Art. 7 GDPR must be met. Thus, the consent must be voluntary, informed, specific, expressed in the form of an unambiguous manifestation of will and capable of being revoked at any time.

More passenger data collected

1. July 2021

The German Federal Criminal Police Office regularly records so-called PNR (Passenger Name Records) on flights. This includes, among other information, date of birth, names, e-mail addresses, possible frequent flyer numbers or the means of payment used. The aim of the screening is to help track and prevent terrorist offences and serious crime.

Last year, the quantity of these passenger data collected increased significantly. A total of 105 million data records were collected by the Federal Criminal Police Office (BKA) on passengers taking off or landing in Germany. Approximately 31 million passengers are affected by this, including those who have flown more than once. It is to be highlighted here that the number of passengers has fallen by 75 % compared to 2019 due to the corona pandemic.

In 2019, however, around 78 million passenger records of almost 24 million passengers were processed. Subsequently, 111,588 persons were checked with the police’s wanted persons database. The number of “technically positive” search hits was 1960, which corresponds to 0.082 per thousand.

In 2020, after a comparison with the police wanted persons database, 78,179 person transactions remained in the network. The number of positive search hits increased to 5347, which, nevertheless, still only corresponds to 0.2 per thousand. This number is again largely a matter of errors.

Various lawsuits against this dragnet investigation are already before the European Court of Justice. In particular, it is accused that the dragnet investigation is not proportionate. In particular, it affects uninvolved persons. The state should rather take a targeted approach in these cases and not a generalised one.

The rising threat of Ransomware

28. June 2021

Ransomware attacks are on a steep rise as the global pandemic continues. According to the cybersecurity firm SonicWall, there were more than 304 million attempted ransomware attacks tracked by them in 2020, which was a 62 percent increase over 2019. During the first five months of 2021, the firm detected another 116 percent increase in ransomware attempts compared to the same period in 2020. Another cybersecurity firm called Cybereason found in a recent study interviewing nearly 1,300 security professionals from all around the world that more than half of organisations have been the victim of a ransomware attack, and that 80 percent of businesses that decided to pay a ransom fee suffered a second ransomware attack, often times by the same cybercriminals.

Ransomware is a type of malicious software, which encrypts files, databases, or applications on a computer or network and perpetually holds them hostage or even threatens to publish data until the owner pays the attacker the requested fee. Captivated data may include Personal Data, business data and intellectual property. While Phishing attacks are the most common gateway for ransomware, there are also highly targeted attacks on financially strong companies and institutions (“Big game hunting”).

Alluding to the industry term Software-as-a-Service (SaaS), a new unlawful industry sub-branch has emerged in recent years, which according to security experts lowered the entrance barriers to this industry immensely: Ransomware-as-a-Service (RaaS). With RaaS, a typical monthly subscription could cost around 50 US-Dollars and the purchaser receives the ransomware code and decryption key. Sophisticated RaaS offerings even include customer service and dashboards that allow hackers to track the status of infections and the status of ransomware payments. Thus, cybercriminals do not necessarily have to have the technical skills themselves to create corresponding malware.

Experts point to various factors that are contributing to the recent increase in Ransomeware attacks. One factor is a consequence of the pandemic: the worldwide trend to work from home. Many companies and institutions were abruptly forced to introduce remote working and let employees use their own private equipment. Furthermore, many companies were not prepared to face the rising threats with respect to their cybersecurity management. Another reported factor has been the latest increase in value of the cryptocurrency Bitcoin which is the preferred currency by criminals for ransom payments.

Successful Ransomware attacks can lead to personal data breaches pursuant to Art. 4 No. 12 GDPR and can also lead to the subsequent obligation to report the data breach to the supervisory authorities (Art. 33 GDPR) and to the data subjects (Art. 34 GDPR) for the affected company. Businesses are called to implement appropriate technical and organisational measures based on the risk-based approach, Art. 32 GDPR.

Earlier this month, the Danish Data Protection Authority provided companies with practical guidance on how to mitigate the risk of ransomware attacks. Measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems when faced with ransomware may include providing regular trainings for employees, having a high level of technical protection of systems and networks in place, patching programs in a timely manner, and storing backups in an environment other than the normal network.

The new Digital Green Certificate

31. May 2021

The EU Digital Covid certificate (Digital Green Certificate) is scheduled to come into use on July 1, 2021. The certificate is intended to make it possible to move freely within the EU once again. Within the member states, the certificate is also expected to allow access to public events and gastronomy. The certificate will complement and not replace the national passport, such as the yellow vaccination passport in Germany. However, it is up to each country to require additional health documents.

At the national level, software will be developed to meet the requirements of such a certificate. In parallel, a European gateway will be developed. This gateway will then be installed in a data center in Luxembourg. Countries such as Norway, Switzerland and Lichtenstein will also connect to the platform.

The certificate will document vaccination status, who has already recovered from a Covid-19 infection and it will also be able to record negative PCR tests. At the vaccination centers or doctors’ offices, personal data such as name, date of birth and vaccination date of the person concerned will be digitally recorded and signed with the digital signature key of the issuing body (hospital, test centre, etc.). The issued certificate contains a QR code with a digital signature to protect against falsification. During border control, the data stored and encrypted in the certificate should not be transmitted, but only the validity of the crypto keys is checked. To do this, the checking apps contact the EU gateway server in Luxembourg and query there whether the key stored in the QR code is reported as valid there. If this is the case, the checking app displays green as well as the name and date of birth of the traveler, who must therefore also present an identification document such as a passport. The participating EU countries, represented by the designated national authorities or official bodies are considered as joint controllers of the processing in the gateway and must therefore provide users with adequate information about the processing of their personal data in the European federation gateway in accordance with Article 13 of the GDPR.

Data protectionists criticize that the digital certificate and the collected data could be used by member states to create movement profiles of those affected. Central storage would also increase the risk of a hacker attack.

Data Breach made 136,000 COVID-19 test results publicly accessible

18. March 2021

Personal health data are considered a special category of personal data under Art. 9 of the GDPR and are therefore given special protections. A group of IT experts, including members of the German Chaos Computer Club (CCC), has now revealed security gaps in the software for test centres by which more than 136,000 COVID-19 test results of more than 80,000 data subjects have apparently been unprotected on the internet for weeks.

The IT-Security experts’ findings concern the software “SafePlay” of the Austrian company Medicus AI. Many test centres use this software to allocate appointments and to make test results digitally available to those tested. In fact, more than 100 test centres and mobile test teams in Germany and Austria are affected by the recent data breach. These include public facilities in Munich, Berlin, Mannheim as well as fixed and temporary testing stations in companies, schools and daycare centres.

In order to view the test results unlawfully, one only needed to create an account for a COVID-19 test. The URL for the test result contained the number of the test. If this number was simply counted up or down, the “test certificates” of other people became freely accessible. In addition to the test result, the test certificate also contained the name, date of birth, private address, nationality and ID number of the person concerned.

It remains unresolved whether the vulnerabilities have been exploited prior to the discovery by the CCC. The CCC notified both Medius AI and the Data Protection Authorities about the leak which led to a quick response by the company. However, IT experts and Privacy-focused NGOs commented that Medicus AI was irresponsible and grossly negligent with respect to their security measures leading to the potential disclosure of an enormous amount of sensitive personal health data.

Dutch data scandal: illegal trade of COVID-19 patient data

19. February 2021

In recent months, a RTL Nieuws reporter Daniël Verlaan has discovered widespread trade in the personal data of Dutch COVID-19 test subjects. He found ads consisting of photos of computer screens listing data of Dutch citizens. Apparently, the data had been offered for sale on various instant messaging apps such as Telegram, Snapchat and Wickr. The prices ranged from €30 to €50 per person. The data included home addresses, email addresses, telephone numbers, dates of birth and BSN identifiers (Dutch social security number).

The personal data were registered in the two main IT systems of the Dutch Municipal Health Service (GGD) – CoronIT, containing details about citizens who took a COVID-19 test, and HPzone Light, a contact-tracing system, which contains the personal data of people infected with the coronavirus.

After becoming aware of the illegal trade, the GGD reported it to the Dutch Data Protection Authority and the police. The cybercrime team of the Midden-Nederland police immediately started an investigation. It showed that at least two GGD employees had maliciously stolen the data, as they had access to the official Dutch government COVID-19 systems and databases. Within 24 hours of the complaint, two men were arrested. Several days later, a third suspect was tracked down as well. The investigation continues, since the extent of the data theft is unclear and whether the suspects in fact managed to sell the data. Therefore, more arrests are certainly not excluded.

Chair of the Dutch Institute for Vulnerability Disclosure, Victor Gevers, told ZDNet in an interview:

Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home.

Many people expressed their disapproval of the insufficient security measures concerning the COVID-19 systems. Since the databases include very sensitive data, the government has a duty to protect these properly in order to prevent criminal misuse. People must be able to rely on their personal data being treated confidentially.

In a press release, the Dutch police also raised awareness of the cybercrime risks, like scam or identity fraud. Moreover, they informed about the possibilities of protection against such crimes and the need to report them. This prevents victims and allows the police to immediately track down suspects and stop their criminal practices.

16 Million brazilian COVID-19 patients’ personal data exposed online

7. December 2020

In November 2020, personal and sensitive health data of about 16 Million brazilian COVID-19 patients has been leaked on the online platform GitHub. The cause was a hospital employee, that uploaded a spreadsheet with usernames, passwords, and access keys to sensitive government systems on the online platforms. Under those affected were also the brazilian President Jair Bolsonaro and his family as well as seven ministers and 17 provincial governors.

Under the exposed systems were two government databases used to store information on COVID-19 patients. The first “E-SUS-VE” was used for recording COVID-19 patients with mild symptoms, while the second “Sivep-Gripe” was used to keep track of hospitalized cases across the country.

However, both systems contained highly sensitive personal information such as patient names, addresses, telephone numbers, individual taxpayer’s ID information, but also healthcare records such as medical history and medication regimes.

The leak was discovered after a GitHub user spotted the spreadsheet containing the password information on the personal GitHub account of an employee of the Albert Einstein Hospital in Sao Paolo. The user informed the Brazilian newspaper Estadao, which analysed the information shared on the platform before it notified the hospital and the health ministry of Brazil.

The spreadsheet was ultimately removed from GitHub, while government officials changed passwords and revoked access keys to secure their systems after the leak.

However, Estadao reporters confirmed that the leaked data included personal data of Brazilians across all 27 states.

Admonition for revealing a list of people quarantined in Poland

27. November 2020

The President of the Personal Data Protection Office in Poland (UODO) imposed an admonition on a company dealing with waste management liable for a data breach and ordered to notify the concerned data subjects. The admonition is based on a violation of personal data pertaining to data subjects under medical quarantine. The city name, street name, building/flat number and the fact of remaining under quarantine of the affected data subjects have been provided by the company to unauthorized recipients. The various recipients were required to verify whether, in a given period, waste was to be collected from places determined in the above-mentioned list.

The incident already happened in April 2020. Back then, a list of data subjects was made public, containing information on who had been quarantined by the administrative decision of the District Sanitary-Epidemiological Station (PPIS) in Gniezno as well as information on quarantined data subjects in connection with crossing the country border and on data subjects undergoing home isolation due to a confirmed SARS-CoV-2 infection. After becoming aware of the revelation, the Director of PPIS notified the relevant authorities – the District Prosecutor’s Office and the President of UODO – about the incident.

PPIS informed them that it had carried out explanatory activities showing that the source of disclosure of these data was not PPIS. These data were provided to the District Police Headquarters, the Head of the Polish Post Office, Social Welfare Centres and the Headquarters of the State Fire Service. Considering the fact that these data had been processed by various parties involved, it was necessary to establish in which of them the breach may have occurred.

UODO took steps to clarify the situation. In the course of the proceedings, it requested information from a company dealing with waste management being one of the recipients of the personal data. The company, acting as the data controller, had to explain whether, when establishing the procedures related to the processing of personal data, it had carried out an assessment of the impact of the envisaged processing operations on the protection of personal data according to Art. 35 GDPR. The assessment persists in an analysis of the distribution method in electronic and paper form in terms of risks related to the loss of confidentiality. Furthermore, the data controller had to inform UODO about the result of this analysis.

The data controller stated that it had conducted an analysis considering the circumstances related to non-compliance with the procedures in force by data processors and circumstances related to theft or removal of data. Moreover, the data controller expressed the view that the list, received from the District Police Headquarters, only included administrative (police) addresses and did not contain names, surnames and other data allowing the identification of a natural person. Thus, the GDPR would not apply, because the data has to be seen as anonymized. However, from the list also emerged the fact that residents of these buildings/flats were placed in quarantine, which made it possible to identify them. It came out that the confidentiality of the processed data had been violated in the course of the performance of employee duties of the data processor, who had left the printed list on the desk without proper supervision. During this time, another employee had recorded the list in the form of a photo and had shared it with another person.

Following the review of the entirety of the collected material in this case, UODO considered that the information regarding the city name, street name, building/flat number and placing a data subject in medical quarantine, constitute personal data within the meaning of Art. 4 (1) GDPR, while the last comprises a special category of personal data concerning health according to Art. 9 (1) GDPR. Based on the above, it is possible to identify the data subjects, and therefore the data controller is bound to the obligations arising from the GDPR.

In the opinion of UODO, the protective measures indicated in the risk analysis are general formulations, which do not refer to specific activities undertaken by authorized employees. The measures are insufficient and inadequate to the risks of processing special categories of data. In addition, the data controller should have considered factors, such as recklessness and carelessness of employees and a lack of due diligence.

According to Art. 33 (1) GDPR, the data controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of the data breach, notify it to the competent supervisory authority. Moreover, in a situation of high risk to the rights and freedoms of the data subjects, resulting from the data breach (which undoubtedly arose from the disclosure), the data controller is obliged to inform the data subject without undue delay in accordance with Art. 34 (1) GDPR. Despite this, the company did not report the infringement, neither to the President of UODO nor to the concerned data subjects.

First judicial application of Schrems II in France

20. October 2020

France’s highest administrative court (Conseil d’État) issued a summary judgment that rejected a request for the suspension of France’s centralized health data platform – Health Data Hub (HDH) – on October 13th, 2020. The Conseil d’État further recognized that there is a risk of U.S. intelligence services requesting the data and called for additional guarantees.

For background, France’s HDH is a data hub supposed to consolidate all health data of people receiving medical care in France in order to facilitate data sharing and promote medical research. The French Government initially chose to partner with Microsoft and its cloud platform Azure. On April 15th, 2020, the HDH signed a contract with Microsoft’s Irish affiliate to host the health data in data centers in the EU. On September 28th, 2020, several associations, unions and individual applicants appealed to the summary proceedings judge of the Conseil d’État, asking for the suspension of the processing of health data related to the COVID-19 pandemic in the HDH. The worry was that the hosting of data by a company which is subject to U.S. laws entails data protection risks due to the potential surveillance done under U.S. national surveillance laws, as has been presented and highlighted in the Schrems II case.

On October 8th, 2020, the Commission Nationale de l’Informatique et Libertées (CNIL) submitted comments on the summary proceeding before the Conseil d’État. The CNIL considered that, despite all of the technical measures implemented by Microsoft (including data encryption), Microsoft could still be able to access the data it processes on behalf of the HDH and could be subject, in theory, to requests from U.S. intelligence services under FISA (or even EO 12333) that would require Microsoft to transfer personal data stored and processed in the EU.
Further, the CNIL recognized that the Court of Justice of the European Union (CJEU) in the Schrems II case only examined the situation where an operator transfers, on its own initiative, personal data to the U.S. However, according to the CNIL, the reasons for the CJEU’s decision also require examining the lawfulness of a situation in which an operator processes personal data in the EU but faces the possibility of having to transfer the data following an administrative or judicial order or request from U.S. intelligence services, which was not clearly stated in the Schrems II ruling. In that case, the CNIL considered that U.S. laws (FISA and EO 12333) also apply to personal data stored outside of the U.S.

In the decision of the Conseil d’État, it agreed with the CNIL that it cannot be totally discounted that U.S. public authorities could request Microsoft and its Irish affiliate to access some of the data held in the HDH. However, the summary proceedings judge did not consider the CJEU’s ruling in the Schrems II case to also require examination of the conditions under which personal data may be processed in the EU by U.S. companies or their affiliates as data processors. EU law does not prohibit subcontracting U.S. companies to process personal data in the EU. In addition, the Conseil d’État considered the violation of the GDPR in this case was purely hypothetical because it presupposes that U.S. authorities are interested in accessing the health data held in the HDH. Further, the summary proceedings judge noted that the health data is pseudonymized before being shared within the HDH, and is then further encrypted by Microsoft.

In the end, the judge highlighted that, in light of the COVID-19 pandemic, there is an important public interest in continuing the processing of health data as enabled by the HDH. The conclusion reached by the Conseil d’ètat was that there is no adequate justification for suspending the data processing activities conducted by the HDH, but the judge ordered the HDH to work with Microsoft to further strengthen privacy rights.

Pages: 1 2 3 Next
1 2 3