Private data leak in GGD Covid system existed for months: report

GGD employees have been able to download or print out lists of people who got tested for the coronavirus from the health service's coronavirus test system since April last year, NOS reports based on instructions for GGD employees which it has in its possession.

An export function, which has formed part of the GGD system since April last year, allowed employees to download lists of tested persons and forward them to others. Only after RTL Nieuws reported that such lists of data were being sold on Telegram on Monday, and the police arrested two GGD call center employees, did the GGD remove the export function, according to NOS.

Since June 1 last year, nearly 8 million coronavirus tests have been done and some 800 thousand source and contact investigations have been conducted. The GGD databases contain the data of all those people. And that data could be exported and shared at the click of a button. The idea behind the export function was to make it easier to get data for reports and to transfer data to other systems.

Instructions to GGD employees on how to use the CoronIT system and the HPzone system, which contains details of source and contact research, also shows that employees can search for specific people in the systems. The idea behind this was that employees can quickly find test results and not create duplicate files. But files can also be exported and forwarded to others, according to NOS.

According to RTL Nieuws, the GGD has been aware of these privacy issues for months. Over the past days the broadcaster spoke with dozens of GGD employees responsible for making Covid-19 test appointments and source and contact tracing. Many said that they've reported privacy concerns to the health service months ago, but each time were told that it was not important enough to deal with immediately or received n response at all.

Umbrella organization GGD GHOR Nederland did not respond to NOS' questions about this.