Data of thousands of Dutch citizens leaked from government Covid-19 systems

The personal data of thousands of Dutch citizens has been leaked from the systems of Municipal Health Services (GGD), the organisation that coordinates Covid-19 testing and vaccination policy in the Netherlands.

Because of outdated systems and insufficient access control, almost all GGD employees had access to sensitive information, which has been illegally traded on the internet.

The data breach involves data from two GGD systems – CoronIT, which contains the private data of Dutch citizens who have taken a coronavirus test, and HPZone, an electronic file for source-and-contact research performed by the GGD. Addresses, telephone numbers, email addresses and citizen service numbers were accessed.

It is believed that the datasets of thousands to tens of thousands of people are in circulation. According to RTL Nieuws, criminals gained access to the data by bribing GGD employees.

About 26,000 GGD employees and call centre staff at test facilities have access to CoronIT. Also, 8,000 employees have access to all information in the HPZone source-and-contact investigation system. But according to the GGD’s professional association, the GHOR, not everyone is allowed to access everything. Only the people who need access to a file for their work are allowed to see it, but this is checked only randomly, which now appears insufficient.

In fact, it has been clear for some time that the ageing systems in use are not particularly suitable in the coronavirus crisis. As early as December, health minister Hugo de Jonge wrote about “some vulnerabilities” that had come to light after a risk analysis. In that letter to parliament, De Jonge specifically mentioned the risk of data leaks. To minimise that risk, better identity and access management must be put in place to prevent unauthorised users gaining access to certain data, he said.

Interviews conducted by Dutch newspaper De Volkskrant with people involved with the Netherlands Ministry of Public Health have also revealed concerns about the privacy and security of the GGD systems since spring 2020. For example, employees of laboratories that processed Covid test results were able to view all sorts of personal data, including citizen service numbers, which was not necessary.

The newspaper reported that it was clear from the start that GGD staff could access all data, even though the GGD website said employees could only see the data of the person they were calling. According to one person involved in the Volkskrant interviews, the ministry offered help to solve the privacy problems at the GGD as early as August, but this was refused by the authority.

In September last year, a Volkskrant journalist realised the fragility of the system when he volunteered at a testing facility. He was given full access to CoronIT on his second day at work and was able to retrieve the data of everyone in the system, without any training or control, he reported in an article.

Although there had been concerns for months about the security of privacy-sensitive data in the GGD systems, Minister De Jonge announced in December that CoronIT would be deployed more broadly to support the vaccination programme in the Netherlands because the system could be adapted easily.

The major weakness of the system is its export function, which makes it easy to download and forward lists of personal data. Information held by the Dutch news service NOS shows that this function was deliberately built into the system to be able to make reports and export data to other systems. According to RTL Nieuws, there had been great concern among employees for months, but this was brushed aside by managers.

The GGD did not properly keep track of what information employees were looking for. As a result, people with malicious intent could carry out their activities for months. Meanwhile, dozens of staff have been fired for unauthorised use of the systems and a number of them have been arrested on suspicion of illegal trading of personal data.

Dave Maasland, director of security company ESET, suspects that the situation at the GGD is not unique. “I fear that at an average customer contact centre, this is very likely the current situation as well,” he said.

Maasland refered to a case in which a hospital in The Hague was fined heavily in 2019 for inadequate supervision of its own staff. They had viewed the file of a Dutch celebrity who was admitted to the hospital at the time, without a valid reason.

After the furore following the disclosure of the data breach, the GGD announced an accelerated switch to a new system for source-and-contact research and to phase out HPZone.

The GGD has now called in cyber security specialist Fox-IT to assist with the forensic investigation of logs made in CoronIT. The company will also monitor the logs for GGD GHOR until a fully automatic and constant monitoring system is put into use at the end of March.

For HPZone, the GGD has implemented extra measures, including removing the most important export functions. The new system, GGD Contact with the accompanying BCO portal, will be operational in March. Until then, the current systems will be locked down as much as possible to guarantee the safety of private data.

However, this has resulted in municipalities and care institutions reporting difficulties in retrieving information from the systems and so they no longer have a good overview of coronavirus distribution in their region. This problem is expected to persist until the new system is up and running.

After implementing a new system ensuring better security for CoronIT, the GGD is left with the major task of restoring citizens’ trust in how it handles sensitive information, so they will not be hesitant to get tested. This task seems to be the most difficult of all.