Personal data tens of thousands of tested Dutch people insufficiently secure

Personal and medical information of at least tens of thousands of people who were tested on corona at a commercial company are not properly secured, according to research conducted by Nieuwsuur.

These are sensitive personal data and medical data, which were shared in a 300 member WhatsApp group and accessed in a poorly secured database. According to experts, there is a data breach and the privacy legislation is violated.

The data is from customers of the test company U-Diagnostics. These include tourists who booked a holiday via TUI or Corendon, employees of the food group Ahold, players of FC Utrecht, general practitioners and healthcare institutions. The Ministry of Defense also has military deployed tested at U-Diagnostics. In response to the news of Nieuwsuur, the Ministry states that it has suspended the corona-virussts for military personnel immediately and that it has made a report to the Dutch Data Protection Authority.

Bulky data leak

Birth dates, passport numbers, social security numbers, email addresses, travel destinations and test results of all these people can easily be viewed by third parties. There is a risk of scams, fraud and blackmail if personal data fall into the wrong hands. Newshour consulted several experts. They speak of a large data leak because it concerns many and, moreover, sensitive personal data.

U-Diagnostics has been informed of the findings before this publication. They state in a response that they do not violate the privacy legislation. The use of a WhatsApp group to exchange personal and medical information โ€œis permitted because it only contains employeesโ€, says Managing Director Maarten Cuppen. Despite this, the database has been extra secure since last night and would no longer be easily accessible to outsiders.

WhatsApp Group with 300 employees

U-Diagnostics is a large commercial corona-virusster that has set up posts throughout the country under the brand name Health Check Centre. They say U-Diagnostics tests thousands of people a day on corona. Newshour gained access to the U-Diagnostics database and a WhatsApp group of the company containing about 300 employees who conduct tests at locations across the country.

The WhatsApp group functions as a helpdesk. Employees who test customers in Groningen or Rotterdam, for example, can ask practical questions in the group. In the app group, employees, visible to all members of the group, exchange patients personal and medical information. Photographs of passports, bank statements and tests taken and test results are also passed. All these personal data are visible to all members.

According to Professor of Health Law Jaap Sijmons, this is medical information, which should not be shared in groups. โ€œOnly the person directly involved in a persons treatment should have access to the information of that particular patient. In this case, it is testing, communicating the test result or administrative processing.

Sharing the information in a WhatsApp group with employees from across the country, who thus have access to patient information from test sites where they do not work, is not the intention, says the professor. โ€œSo you cant share that all with each other on one platform.โ€

Personal Information Military

The WhatsApp group is also used by employees to request passwords to enter the system. These credentials consist of general email addresses and passwords. The U-Diagnostics database can be accessed without additional security such as a two-step verification or a personal SMS code. In the database, Nieuwsuur finds the data of tens of thousands of people tested on corona.

This database also lists the Ministry of Defence as client for corona-virussts. Personal data of military personnel, including BSN and passport numbers, can all be found there. Also, the system can look up where the military did a corontest and where they then left.

โ€œ For example, for a foreign intelligence unit, all these data together are very interesting,โ€ says military historian Christ Klep. โ€œVery helpful for those who want to form a picture of our units and the men in them. I would dare say that with this information half the puzzle has already been laid.โ€

In the database, Nieuwsuur found soldiers from the First Combat Group of the Marine Corps. โ€œThat is a unit that is frequently broadcast and works in war zones. Thats exactly what you dont want the data to be on the street,โ€ explains Kop.

Director Maarten Cuppen of U-Diagnostics says in a comment that the company correctly withThe militarys personal information has been handled. โ€œBut I think it could be better secured. I have been in contact with the Defence Department and steps are already being taken.โ€ According to Cuppen, U-Diagnostics customers dont have to worry about their private information. โ€œPeople have been treated safely and the tests have been adequately processed and the results are good. We have set up our platform in accordance with GDPR law and regulations.โ€

Nieuwsuur also submitted the findings to Professor of ICT & Law Frederik Zuiderveen Borgesius of Radboud University. According to him, a personal login should always be used on these types of databases. โ€œYou can give each employee their own card and a login with a personal code. Or a unique code that will be sent by text message. If a password leaks, a malicious person cant do so much with it. Obviously, none of this happened here, and that is wrong.โ€