Covid-19 test results viewable without authentication
A Covid-19 test center was fined after sending unencrypted emails with URLs to affected individuals. The URLs allowed access to test results with no further authentication required. In some cases, the URLs were structured in such a way that PDF files were downloaded which contained the last name of the tested person in the file name. If in addition the directory path was known, even test results could be viewed by third parties.
Entscheidungsdatum:
31.12.2022
Land:
Germany
Art des Verstoßes:
inadequate data protection
Betroffene Datensätze:
unknown
Waren sensible Daten betroffen?:
Yes
verhängte Geldstrafe:
€ 2,700,-
Violation of GDPR Paragraph:
32. Security of processing
Quelle:
Annual Report of the Hamburg Commissioner for Data Protection and Freedom of Information