In the “Registration Center” – overwhelmed again: “E.sveikata” openly shared the personal data of any patient and their information on visits to doctors

In the pre-registration system, by changing the numbers in the address line, it was possible to know which patient is registered with which doctor: name and surname, personal identification number, medical record number, as well as data that is not difficult to assess according to the personal identification number: age, sex, date of birth. .

At the same time, it was indicated to which doctor the person was registered, for what day and at what time, and what is the doctor’s work address. From these data, it is possible to predict what health difficulties a patient faces.

Spokesperson for the Mindaugas Samkus Records Center 15 minutes reported that the Patient Pre-Registration System was immediately closed upon receiving information about this security vulnerability: “Upon receiving information about a possible security vulnerability, the Pre-Patient Registration Information System (IPR IS) is temporarily suspended. Currently, the specialists of the Registry Center are clarifying the situation and the reasons for the possible breach, ”he wrote.

According to M. Samkus, steps have already been taken to close the data protection gap and the patient pre-registration system is expected to be operational again in the near future.

We remind you that this is no longer the first error of a similar nature to be found in the “ehealth” system. 2018 Cybersecurity expert Darius Povilaitis discovered and published another similar loophole in the summer, which allowed information such as the patient’s name, personal identification code, registration code in the internal electronic health system, marital status, to be known, the residence registration address, the registration codes of related persons in the internal electronic health system. , as well as the telephone numbers and email addresses of the patient and related persons, if such data is entered into the system. A pre-trial investigation was launched against the cybersecurity expert for revealing this loophole.

as well 15 minutes applied to the State Data Protection Inspectorate (SDPI) to assess the scope of the violation of data privacy and the possible consequences for the Registry Center. Upon receipt of the response from VDAI, we will supplement this article immediately.