A security breach by the Ministry of Health has exposed the personal and health data of some 100,000 people from Madrid for an indefinite period, according to information provided by the regional chain
Telemadrid,
which ensures that, at least until mid-afternoon this Wednesday, it was accessible. Among that information, there was that of the King, the President of the Government, Pedro Sánchez, the former president José María Aznar or the leader of the opposition, Pablo Casado, all residents of Madrid.
When entering an apparently unencrypted link on the Health website, and if a proxy program was available - a
software
that analyzes what is happening on the computer, the websites that are visited and the services that are being used -, it was enough Enter the person's ID to be able to see personal information such as telephone number, address, where the covid-19 vaccine had been received, if it had been done, when, with what dose, in which arm or who vaccinated them. "We are talking about data hosted on health portals in the Community of Madrid, such as the server for managing the self-appointment of vaccination against covid, which could be made available to anyone," says the information from Telemadrid.
From the Ministry of Health they send a written response in which they explain that this Wednesday they have detected "a security vulnerability in the functionality of the citizen portal to obtain the covid certificate" and that "that gap is already blocked." This incident, according to the Community, "has been caused by the upload of an update that passed the test protocols and that in the start-up process generated a gap that has been solved within hours after being detected by quality services" . In any case, says the reply of the counseling, "the incidence did not affect clinical data and of course it did not compromise any alteration of information in the databases." In addition, they add, "to access that information you would need the ID of the person in question."
In an extension of this response, the Community insists that “it is false that any citizen can enter the web pages of the Ministry of Health of the Community of Madrid to obtain the COVID certificate and that confidential information such as clinical data of the Rey, the President of the Government or other former presidents ”.
During the newscast, however, the chain has explained that they have accessed to make checks, pointing to how "easy" it is to get the identity document number on the web. And, if you have the right knowledge to download a proxy (there are free ones on the web), accessing that information was not very complicated. Thus, they have counted, they have been able to see the telephone number, dose and arm in which the King was vaccinated, for example, on Saturday, May 29. The same with the President of the Government, Pedro Sánchez, who was immunized on June 28 at the Puerta de Hierro hospital. And also the data of the Minister of Equality, Irene Montero or the former Vice President of the Government, Pablo Iglesias.
Samuel Parra, a lawyer specializing in data protection, explains that after closing the gap, "which is the most immediate thing to do", the Administration in question, in this case the Ministry of Health, must make "a communication to the Incibe" , the National Institute of Cybersecurity of Spain. "In addition, as it is sensitive information, it must communicate to those affected, individually, the existence of this gap and what information has been leaked," he adds. And also, in addition, the Community has to inform the Spanish Data Protection Agency: "Either due to an attack or due to a bad configuration of the system itself."
Being, as the Community explains, a bad configuration, "there may be disciplinary measures against the administration, which has the obligation to protect the data to prevent inappropriate access by unauthorized third parties." Affected citizens, what can they do? "People can report it to the Spanish Data Protection Agency," says the lawyer. Although he adds that, “seeing the volume of affected people, the most probable thing is that the agency itself will initiate a procedure to clarify what has happened, if from an administrative point of view the regulations have been violated because the measures were not adequate or were not they established the legal protocols required to protect the information ”.
If they wanted, adds Parra, "they can go a step further": "If the person considers that they have suffered a small moral damage or are uneasy because their data has been exposed, they can claim patrimonial responsibility".
That is, an economic compensation to the Administration.
Subscribe here
to our new newsletter about Madrid.