According to the DoH, some users of the COVIDCert NI service were presented with data of other users under certain circumstances. It said that a limited number of users were potentially exposed to data of other users.
COVIDCert enables fully vaccinated individuals based in Northern Ireland to obtain a digital certificate confirming their COVID-19 vaccination status. It is a separate system from the National Health Service (NHS) COVID Pass used in England and Wales, and a similar vaccine passport-style service used by Public Health Scotland. (Related: British clergy warn COVID vaccine passports will lead to "medical apartheid" as protests against mandatory vaccinations spread across Europe.)
The Northern Ireland service is available via the covidcertni.nidirect.gov.uk website or mobile app for Android and iOS users. Both the COVIDCert website and the mobile app endpoints were down when tested by BleepingComputer, a website covering technology news.
"Our services aren't available right now. We're working to restore all services as soon as possible. Please check back soon," reads one of the error messages thrown by the service in its website.
Meanwhile, the "resource...removed" message is being shown to users of the mobile app attempting to log in.
The DoH immediately reported the issue to the UK's Information Commissioner's Office (ICO). "The DoH takes the privacy of citizen's data very seriously and contact has been made with the ICO as part of due diligence in protecting citizen's data," the department said in a notice published Tuesday, July 27.
"Immediate action has also been taken to temporarily remove a part of the service that manages identity."
The DoH also published a list of parties not impacted by the incident, including applicants who already have their certificate (their apps or paper copies are still operational); applicants who have lodged an application using the online portal for a downloadable PDF who have not yet received it (their PDF will be delivered); and applicants who have lodged an application using the COVIDCert NI app for an electronic certificate who have not yet received it (they will be sent a PDF as an interim step).
Certain individuals who have already filed an application for a digital certificate or are pending identity checks will also not be impacted by the incident. They can continue to avail the services normally once operations are restored.
Applicants who have lodged an application for an electronic certificate but received a PDF copy instead will be able to log in and download an electronic version after the issue is fixed. Applicants who are currently undergoing identity validation in the NIDirect workflow can continue. Once successfully validated they will need to pause until the issue is fixed.
Some users may not be able to log in through their NIDirect account as they have been locked due to the technical issue.
The data incident came at a time when there's much scrutiny and worry concerning COVID-19 vaccine passports among members of the public. Healthcare data breaches are increasing exponentially year after year, and it doesn't seem like they're going to slow down any time soon.
It's important for healthcare IT professionals to take steps to safeguard their systems, whether that means protecting against external threats posed by hackers and cyber criminals or securing internal threats that come from access abuse from internal users.
Healthcare data is valuable on the black market because it often contains all of an individual's personally identifiable information, as opposed to a single piece of information that may be found in a financial breach.
According to a Trustwave report, a healthcare data record may be valued at up to $250 per record on the black market, compared to $5.40 for the next highest value record – a payment card.
Most of these breaches can be attributed to criminal insiders and hackers gaining access through third-party vendors. The Ponemon Institute found that the costs associated with remediating a breach are estimated at $740,000. If a third party causes a data breach, the cost of the attack increases by more than $370,000.
Industry experts say the attack vectors are most likely to be ransomware or SQL injection attacks that can occur when a malicious email, website or software is installed or accessed within a network, often by an unsuspecting user.
The healthcare industry is particularly vulnerable to malicious ransomware attacks. In Jan. 2018, an attack forced the IT people at Hancock Health to shut down their systems while their patients' personally identifiable pieces of information were held hostage.
The breach was traced back to a hacker who used a third party's remote access portal and credentials, which are both leading causes of cyberattacks. The hospital was later forced by the attacker to pay $55,000 using the cryptocurrency bitcoin before releasing the healthcare data.
The true danger of hackers targeting healthcare facilities lies in the urgency of healthcare staff needing access to patient files on the spot. In some cases, it literally could be a matter of life and death. (Related: Hackers shut down operations in Wyoming hospital, forcing patients to be transferred.)
Hackers who target healthcare facilities know that once they gain access through VPN, credentials or phishing, there's no way to restrict access to the information they've encountered. Once that door has been opened, it means unlimited and unrestricted access to dozens, hundreds or even thousands of patient files.
Follow CyberWar.news for more news about cyberattacks.