More privacy risks in GGD coronavirus systems: report
More IT problems at municipal health services GGD mean that coronatest.nl, the government website for Covid-19 test appointments and results, is not properly secured, NOS reports based on confidential documents it got to see. As a result, the data of millions of people who got tested for Covid-19 through the GGD is not well protected, according to the broadcaster.
Exactly what security problems are involved, was not stated in the confidential documents, according to NOS. But they are serious enough that the Ministry of Home Affairs threatened to disconnect coronatest.nl with DigiD, the identification system through which Netherlands residents can log into various online government services. If this happens, people won't be able to make an appointment or view their results on the coronavirus website.
The government has strict requirements for the use of the DigiD login module. The GGD, which is responsible for the coronatest.nl site, didn't meet eight of those requirements since the site was launched in August. Three concerned "high risk" problems. According to NOS, the GGD was made aware of the problems several times and has so far only solved two of them, one of which was serious. So far, the health service missed three deadlines to have all eight problems fixed, according to the broadcaster.
Logius, the organization that manages DigiD, told NOS that so far no unsafe situations arose because of the GGD issues. Umbrella organization GGD GHOR Nederland acknowledged that they still don't meet all the requirements set for the use of DigiD, but they are working on it. The backlog has "no consequences for the accessibility of the website," a spokesperson said to the broadcaster.
This is not the first privacy issue discovered at the GGD. Last month GGD employees were arrested for selling people's data. It then turned out that thousands of GGD employees were able to export datasets containing private data. Whether such information was actually sold on a large scale, is not clear. The GGD disabled the export function a few weeks ago after reports on it by RTL Nieuws, NOS, and Nieuwsuur.