An insufficiently secure database of a large corona-virus provider led Nieuwsuur to access medical and personal data of tens of thousands of people. In the data of the company U-Diagnostics we found data from, among others, vacationers, employees of Ahold and hundreds of military personnel. Dozens of general practitioners also use the test service.
According to experts, U-Diagnostics violates the law in various areas and there is a data breach. The company itself states that they do not violate the privacy laws.
How did we find out?
Newshour started the research after a tip from an internal source at U-Diagnostics, who was concerned about the security of the privacy-sensitive data. We got access to a WhatsApp group used by around 300 company employees from across the country as a call and help desk:
But its not just asking questions. Data is also shared, which is visible to all 300 employees, from Groningen to Middelburg. In the app group we see, among other things, the mobile number of a Dutch top model, and also of a young professional footballer.
Names and birth dates are shared, as well as (photos) of bank account numbers and information from banking apps:
We presented these findings to Professor of ICT & Law Frederik Zuiderveen Borgesius of Radboud University. According to him, the app group does not meet the requirements of the privacy law, the GDPR. “The main rule is that this type of data must be properly protected. That doesnt seem to be in order here.”
The professor states that the risk of fraud is high because this information is shared on WhatsApp. “With that kind of data, you can try to order stuff online and spend yourself for someone else,” he explains. “And then have the bill sent to that person. Or you can try to borrow money in someone elses name and spend it, but not pay it back.”
It doesnt stick to account numbers. Also results of tests are sent around with name and name, as well as photos of passports and ID cards:
Also very susceptible to fraud, according to Zuiderveen Borgesius. “With a photo of a passport with a social security number and passport number on it, you can quickly convince some organisations that you are that person.”
And that some 300 other employees from all over the country can access this data is not the intention, says Professor of Health Law Jaap Sijmons. “You cant share all that with each other on one platform.”
The U-Diagnostics database appears to be insufficiently secured
Theres more data we could see. U-Diagnostics also has a customer database that employees use. Logins and passwords from them pass in the app group. “What is the code of Waalwijk?? The password?” , asks an employee. “Coronay1!!” , answers another.
Except for a general email address and a general password, the database does not appear to be protected. We found that there are many sensitive personal data to read:
Detailed data are available from Ahold staff, professional footballers of FC Volendam and FC Utrecht.
The Ministry of Defense also turns out to be a customer of U-Diagnostics. Personal data of military personnel can all be found. Take a look at the data we were able to see from hundreds of soldiers:
Defense is always very reluctant to share and process personal data of military personnel, says Defence Expert Christ Klep. “That is also logical: you want to avoid revenge on people who, for example, have fought against a terrorist movement and are then recognizable.”
“ If you combine the data from the U-Diagnostics database with public data, you will soon be able to find out when and where the military have been. Then you make it very easy to lay that puzzle.”
Striking is a group that is tested for a trip to Norway, a winter training. We see passport numbers and phone numbers of a commander and members of the so-called 1st Combat Group. A part of the Marine Corps that can be deployed abroad and provides support to special units in secret missions.
“ Defense has the active policy to keep this confidential information inside chambers,” says Klep. The consequences can be significant if individuals or foreign services gain access to the database.”
U-Diagnostics has been informed of the findings before this publication. They state in a response that they do not violate the privacy legislation. Using a WhatsApp group to exchange personal and medical information “is permitted because it only contains employees,” says Managing Director Maarten Cuppen.
Cuppen says that his companys customers do nothave to worry about their private information and that he did not break the law:
Despite this, the database has been extra secure since last night and would no longer be easily accessible to outsiders.