Personal and medical information of at least tens of thousands of people who were tested for corona at U-Diagnostics are not properly secured, according to research conducted by Nieuwsuur.
These are sensitive personal data and medical data, which were shared in a 300 member WhatsApp group and accessed in a poorly secured database. According to experts, there is a data breach and the privacy legislation is violated.
Read the full response of both U-Diagnostics and the companies affected below:
The written response of U-diagnostics:
Director Maarten Cuppen: “Assuming your findings are correct, I am very shocked. We are currently in the process of mapping, investigating and addressing your findings.”
“ As you know, we attach great importance to careful action, as I think we have already demonstrated this through our immediate improvements to the non-Covid-19 certificates for travellers abroad, which were then falsified by third parties.”
“ Where there is a risk that privacy sensitive data is unauthorized and unauthorized or threatened to be shared, action is taken immediately to stop it.”
“ Where this has already taken place, we will appeal to the relevant employees who have done so on their conscience and possibly take (heavy) personnel measures. We will inform our individuals at a disadvantage and take appropriate (harm reduction) measures.”
“ The app group you refer to will be informed that you have been granted access to it. There will be a ban on the exchange of extensive personal data. Where personal data need to be exchanged, procedures are further tightened if necessary.”
“ The computer system you have been given access to will be better secured as soon as possible (tonight), so that only expressly authorized agents have access to it.”
“ We are, of course, also in the process of investigating how this could have taken place. We will immediately report a possible data breach to the Dutch Data Protection Authority tomorrow and cooperate with any further investigation by this service.”
“ We will contact affected clients and see how we can solve this in consultation. People who suspect that their privacy has been violated can report to us.”
“ We have noted your findings with concern. Indeed, we work with U-Diagnostics and allow our customers and, where appropriate, our employees to be tested through U-Diagnostics, bearing the costs. We have been doing this for over six months and generally to full satisfaction. Furthermore, our travellers and employees are free to choose to have themselves tested there or through another organisation. We are not involved in the agreements between the customer and U-Diagnostics or the process of registering personal and test data of our customers; these register themselves and receive the test result immediately.”
“ Corendon does not provide any customer data to U-Diagnostics and we are not informed of the results. The security of personal data is the sole responsibility of U-Diagnostics and that is how it is contractually established.”
“ We have now asked U-Diagnostics for clarification in response to your findings, are awaiting their response and will then consult with them in the shortest possible time. Although U-Diagnostics itself has full responsibility for the registration and security of personal data, the privacy of our customers and our employees is very much to our heart and we expect U-Diagnostics to confirm that they comply with all laws and regulations on this area and that they have now corrected or will immediately correct any deficiencies identified so that we can continue our cooperation.”
“ In cooperation with U-Diagnostics, we facilitate our employees to get tested. In any case, it is excluded that any data from our clients has been leaked.”
“ When entering into cooperation with U-Diagnostics, GgNet was familiar with the privacy regulations of U-Diagnostics. U-Diagnostics also stated to work in accordance with NEN7510.”
“ Of course, information security and privacy is of the utmost importance for us as a healthcare organisation. By law it is regulated that we, like all other healthcare institutions, are subject to strict privacy legislation. Patients and employees should be confident at all times that their confidential data is well protected.”
“ We are investigating what exactly is going on and we are in closecontact with U-Diagnostics. Whether there is a data breach, as you say, is still being investigated by them at the moment.”
“ In the contract we have concluded with U-Diagsnotics, it has been established that both parties (TUI and U-Diagnostics) guarantee that they will comply with the General Ordering Personal Data at all times with regard to receiving and exchanging personal data. It is therefore worrying that, contrary to contractual agreements, personal data at U-Diagnostics are apparently not properly secured.”
“ Obviously, this is not in line with our own strict policy on the protection of personal data. We will ask U-Diagnostics for clarification. Should it indeed prove that the security of personal and medical data is not in accordance with applicable laws and regulations, we will take further steps towards U-Diagnostics.”
“ We have had an occasional test carried out by U-Diagnostics, they are not our regular party with whom we do business. We are not aware of the way in which his personal data are secure.”
“ We are frightened by this, because of course this cannot be done. It is never a good thing that personal data are transparent to other parties, neither is this.”
“ We switched directly with the KNVB to make an inventory of whether this case has occurred more often. We also spoke with U-Diagnostics and told them to be unpleasantly surprised with the news from Nieuwsuur. Of course, we only want to do business with parties whose data management is good.”
“ FC Utrecht has been aware of the data breach at U-Diagnostics since today and is very surprised and disappointed that this has happened. FC Utrecht considers the protection of personal data to be of great importance and we expect this from the companies where we purchase services. That is why we take the issue very seriously and have asked U-Diagnostics to explain the situation and how it could have happened.”
“ We are going to investigate what the impact of the data breach on our organization.”
“ We were informed this afternoon by U-Diagnostics about what happened. We took immediate action and stopped cooperation.”
Data Protection Authority:
The Dutch Data Protection Authority confirms that a notification has been made of this data breach. We are currently studying this report and asking the Defence Department for more information. It is important to secure personal data properly and to ensure that not everyone can access everywhere.
Data on a persons health is sensitive. The General Data Protection Regulation (GDPR) therefore stipulates that these are special personal data. This type of data must be extra protected compared to, for example, address data.