Enlarge image
Corona test on a returnee
Photo:
Moritz Frankenberg / dpa
Anyone who does a corona test must be able to trust that personal data will remain protected. But that is not always the case. As early as March and April, security researchers were able to view weakly secured data from tens of thousands of citizens on the Internet. According to SPIEGEL information, there are now two serious cases of violations in Baden-Württemberg - the state data protection officer, Stefan Brink, is investigating. Specifically, it is about the fact that several thousand personal data and test results were openly visible, as the authority reports on request. In one of the two cases, an affected company operates several test centers in the state. In the case of the other, a service provider in the country who also processes data for test centers in other federal states was affected.According to SPIEGEL information, various test stations in Germany are affected.
"Corona tests are a sensitive topic," says the responsible Baden-Württemberg data protection officer, Brink. In doing so, data are processed that are fundamentally »susceptible to discrimination«. Brink means, for example, the risk that authorities or the employer could be informed about a positive test result. “This is information that you might not even want to share with family and friends. If everyone has theoretical access to it, that's a massive mistake, ”says Brink.
The test persons often give an email address before taking a smear. Once the result has been determined, it can be called up on the provider's website. Normally it should be secured with at least a combination of email address and password. The problem: Sometimes there is only protection by a password, sometimes you can still guess. "There are providers who simply use a consecutive combination," says Brink. By guessing it is possible to search for findings with good luck. Even if there is further security through a personal email address, a continuous password can still lead to problems. "If I see someone in line in front of the test center and know their email address, I can count out the password," says data protection officer Brink.
Providers are not high profile providers in the healthcare sector
According to the top data protection officer of Baden-Württemberg, there are also numerous other, quite serious shortcomings: For example, some test centers include tracking services on their websites and in notification e-mails or store personal data in third countries without adequate protection.
This would reveal sensitive health data to third parties that they could use for commercial purposes.
The providers concerned are also, and above all, companies that are not high-profile providers in the healthcare sector.
Brink sees no excuse in this.
"Anyone who handles medical data must meet the highest standards," says the data protection officer.
If the test was made for a trip, for example, there is even more personal data on the Internet, including the passport number. Brink considers the lax approach of some providers to be "extremely serious and extremely annoying". Health data belonged to the top category of sensitive information about a person. Therefore, the authority has also initiated a fine procedure. Theoretically, fines of up to 20 million euros are possible. However, these are based on the company's turnover. If data that is part of the health sector is affected, the fine is often substantial.
Cases of abuse have not yet been reported. Work was done very quickly to ensure that the data leaks were closed. But the damage is far greater. »Such data protection gaps discourage people from being tested. That makes the openness for the important tests completely unnecessary, «says Brink. As a test person, it is difficult to recognize that there are data protection problems. “You can really only ask how and where the data is processed exactly. If you have any doubts, you should contact the data protection officer in your state immediately, ”says Brink.
