Software leak gave access to Belgian radiographs and patient data

Feb

12

2016

The Belgian company Dobcomed faced a vulnerability that it was possible to see on X-rays and patient data from random patients. The company has managed to fix the leak within an hour of the notification of Tweakers.

The tip came from an observant Tweaker from Belgium, who was given a code after visiting an X-ray department in order to see his home photos. With this code and date of birth he could log on Pacsonweb system Dobcomed. But when he inspected a number of elements on the page with the built-in function of his browser, he discovered that the photographs had a unique URL.

Because some values ​​in these adjusting url it was then possible to see pictures of others. A user must previously have had first access to the system in order to obtain the URL. Here it was only to take pictures without other identifying information. Another feature of the system is that entire zip files to download multiple photos and additional information, including the treating hospital and the name and sex of the patient. Also this zip files were by adjusting the URL to request. It is not clear how many files thereby ultimately were accessible.

After verification of the leak has Tweakers contacted Dobcomed. The company has confirmed the leak and quickly poem: within an hour after the initial contact was fixed. The company indicates that following an internal investigation revealed that the unauthorized access was limited to six interactions, probably from the informant.

Dobcomed also suggests that a week has been screened for the notification of Tweakers and the company executive has confirmed that the leak thereby would have come up. The Pacsonweb application is used according Dobcomed in over eighty X-ray departments in Belgium. The company has chosen its customers, including not affected hospitals, about to inform the leak.

Belgium has no obligation to report data breaches such as the Netherlands, only companies in the telecom sector are obliged to report a leak to the CPP. However, there is a guide available for businesses who still want to report a data breach. With the introduction of a European hailing the general privacy regulation will also apply in Belgium a general notification requirement.

Viewing:-196

In: Technology & Gadgets Asked By: [15196 Red Star Level]

Answer this Question

You must be Logged In to post an Answer.

Not a member yet? Sign Up Now »