Security vulnerability in COVID-19 testing website allowed access to user information

According to news reports, California-based medical startup Total Testing Solutions has removed a website that allowed customers to access their test results after a customer found a vulnerability that allowed access to other people’s personal information.

Total Testing Solutions, which has 10 COVID-19 testing sites across Los Angeles, processes “thousands” of COVID-19 tests at workplaces, sports venues and schools each week. When test results are ready, customers get an email with a link to a website to get their results.

According to TechCrunch, the customer claimed they found a website security flaw that allowed them to access other customers’ information by increasing or decreasing a number in the website’s address by a single digit, thus allowing the customer to see other customers’ names and the date of their test.

The customer passed on details of the security flaw to TechCrunch, hoping to get the vulnerability fixed before someone else finds it or exploits it. TechCrunch verified the customer’s findings, but while they did not enumerate each result code, limited testing found that the security flaw likely put around 60,000 tests at risk. TechCrunch then reported the flaw to the company’s chief medical officer Geoffrey Trenkle, “who did not dispute the number of discovered tests but said the exposure was limited to an on-premise server used to provide legacy test results that have since been shut down and replaced by a new cloud-based system,” TechCrunch says.

In a statement, Trenkle said, “We were recently made aware of a potential security vulnerability in our former on-premises server that could allow access to certain patient names and results using a combination of URL manipulation and date of birth programming codes. The vulnerability was limited to patient information obtained at public testing sites before the creation of the cloud-based server. In response to this potential threat, we immediately shut down the on-premises software and began migrating that data to the secure cloud-based system to prevent future risk of data breach. We also initiated a vulnerability assessment, including the review of server access logs to detect any unrecognized network activity or unusual authentication failures.”

Trenkle declined to say when the cloud server became active and why the allegedly legacy server had test results as recently as last month. Currently, TTS is not aware of any breach of unsecured protected health information as a result of the issues with its prior server. To our knowledge, no patient health information was actually compromised, and all risk has been mitigated going forward.”

Purandar Das, Co-founder and the chief security evangelist from Sotero, an encryption-based security solutions company, says, “This is another instance of poor security practice. When organizations are in a hurry to monetize, security and data privacy are usually the first casualty. It is concerning when organizations don’t have rigorous security practices and a commitment to preserve and protect their customers’ privacy. As the company itself mentions moving data to a more secure cloud-based service immediately solved the vulnerability. It is also a sign that the regulatory and financial pressure isn’t solving this epidemic of losing customer and consumer data. This has to be seen in the light that consumers suffer a huge amount of reputational and financial damage while organizations continue to be in business after losing information due to poor practices and budgetary constraints.”

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.