[BreachExchange] Saskatchewan deletes vaccine QR codes while privacy glitch gets fixed
Sophia Kingsbury
sophia.kingsbury at riskbasedsecurity.com
Mon Sep 27 09:05:36 EDT 2021
https://www.msn.com/en-ca/news/canada/saskatchewan-deletes-vaccine-qr-codes-while-privacy-glitch-gets-fixed/ar-AAOOdUT
The Saskatchewan government says it's temporarily removing the QR codes
from vaccination records following a privacy breach.
The scannable codes were added as a quick way to display people's COVID-19
vaccination status. It's a key aspect of the province's vaccine passport
system, which was already online but kicks into high gear next month.
However, eHealth says up to 19 of the codes were found to potentially
display the wrong person's health information.
So far, it's been confirmed that only one person's data was inadvertently
shared with the QR codes of three other people. The discovery was made
Thursday.
The type of information displayed in the privacy breach would depend on the
code reader used, eHealth vice-president of programs and technology Davin
Church said.
"The majority would have just shown a name and vaccination status — so
whether they were were vaccinated or not," Church said. "In others, they
would have perhaps the name, date of birth and their vaccination
information. "
EHealth is taking the whole system offline while it sorts out the issue.
"Any QR codes issued have been rendered invalid, so if they are attempted
to be read, they will not be valid QR codes," Church said.
"We would ask that individuals dispose of those, delete them from devices."
Starting Saturday, people can print off their vaccination record again, but
the QR code won't be attached.
People can also use their wallet-sized vaccination cards until the QR codes
are fixed.
EHealth says it expects that to happen early next week.
Church said the vendor of the QR code system is Telus. Another company,
Akinox Solutions Inc., is in charge of the QR code "verifier app" and had
no part in what happened, he said.
According to eHealth, the privacy breach has been reported to the
information and privacy commissioner's office.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210927/df976608/attachment.html>
More information about the BreachExchange
mailing list