The Data Protection Authority completes the investigation into a vulnerability in Heilsuvera’s security that was discovered in June 2020 and fixed the same day
3rd July 2023
On June 8, 2020, a serious vulnerability in security was discovered in Heilsuvera’s maternity section and in the communication section of My Pages, which is managed by the Directorate of Health but developed and operated by Origo. Less than an hour after the vulnerability was reported, Origo had verified its existence and shut down Heilsuvera. In about five hours, changes were made to the system that fixed the vulnerability, it was reviewed and confirmed by the security company Syndis. After that, the system was put back into use.
-Automatic translation
The Directorate of Health regrets the vulnerability in security and does not shirk responsibility in this regard. The weakness was dealt with immediately and without hesitation. Immediately following the incident, a detailed analysis confirmed that no one abused the vulnerability in security during the time it was present and that the personal data of Heilsuvera’s users did not fall into the hands of unauthorized parties.
The Directorate of Health notified the Data Protection Authority on the same day of the nature and extent of the security breach in accordance with law and based on the available information at the time. Following the announcement, The Data Protection Authority started an investigation into the case. In the decision of the Data Protection Authority, now three years later, it was concluded that the Directorate of Health had not adequately ensured the security of personal information on parts of Heilsuvera's website.
In the office's communications in connection with the case, the office has informed the Data Protection Authority about all aspects of the case with integrity and according to the best available information at any given time. The office completely rejects the statements made in the decision of the Data Protection Authority that the office's employees have given contradictory and misleading information during the handling of the case.
The Directorate of Health reiterates that no one took advantage of the vulnerability in security to gain access to information about individuals or their health conditions in Heilsuvera. From the beginning, the office has emphasized security and personal protection during the development and operation of software solutions due to the sensitive personal information they contain. Following the discovery of the vulnerability in security, the office has placed even more emphasis on these aspects with, for example, more detailed and frequent security audits and improved processes for updates and additions. The Directorate of Health asserts that My pages on Heilsuvera.is are as secure as possible and that the security of citizens' health information is as guaranteed as possible on the website.
In the coming days, the Directorate of Health will thoroughly review the grounds and outcome of the decision of the Data Protection Authority, in which the office is fined 12 million ISK.
More information is provided by Alma D. Möller, Medical Director of Health, and Ingi Steinar Ingason, Director of the National Center for E-Health.
Please contact Kjartan Hreinn Njálsson, phone 663 3624, kjartan.h.njalsson@landlaeknir.is.