A bug in a medical startup’s website put thousands of COVID-19 test results at risk
August 17, 2021 at 10:00 AM EDT
A California-based medical startup that provides COVID-19 testing across Los Angeles has pulled down a website it used to allow customers to access their test results after a customer found a vulnerability that allowed access to other people’s personal information. Total Testing Solutions has ten COVID-19 testing sites across Los Angeles, and processes “thousands” of […]
A California-based medical startup that provides COVID-19 testing across Los Angeles has pulled down a website it used to allow customers to access their test results after a customer found a vulnerability that allowed access to other people’s personal information.
Total Testing Solutions has ten COVID-19 testing sites across Los Angeles, and processes “thousands” of COVID-19 tests at workplaces, sports venues, and schools each week. When test results are ready, customers get an email with a link to a website to get their results.
But one customer said they found a website vulnerability that allowed them to access other customers’ information by increasing or decreasing a number in the website’s address by a single digit. That allowed the customer to see other customers’ names and the date of their test. The website also only requires a person’s date of birth to access their COVID-19 test results, which the customer who discovered the vulnerability said “wouldn’t take long” to brute-force, or simply guess. (That’s just 11,000 birthday guesses for anyone under age 30.)
Read more on TechCrunch
Although the test results website is protected by a login page that prompts the customer for their email address and password, the vulnerable part of the website that allowed the customer to change the web address and access other customers’ information could be accessed directly from the web, bypassing the sign-in prompt altogether.
The customer passed on details of the vulnerability to TechCrunch to get the vulnerability fixed before someone else finds it or exploits it, if not already.
TechCrunch verified the customer’s findings, but while we did not enumerate each result code, through limited testing found that the vulnerability likely put around 60,000 tests at risk. TechCrunch reported the vulnerability to TTS chief medical officer Geoffrey Trenkle, who did not dispute the number of discovered tests, but said the vulnerability was limited to an on-premise server used to provide legacy test results that has since been shut down and replaced by a new cloud-based system.
“We were recently made aware of a potential security vulnerability in our former on-premises server that could allow access to certain patient names and results using a combination of URL manipulation and date of birth programming codes,” said Trenkle in a statement. “The vulnerability was limited to patient information obtained at public testing sites before the creation of the cloud-based server. In response to this potential threat, we immediately shut down the on-premises software and began migrating that data to the secure cloud-based system to prevent future risk of data breach. We also initiated a vulnerability assessment, including the review of server access logs to detect any unrecognized network activity or unusual authentication failures.”
Trenkle declined to say when the cloud server became active, and why the allegedly legacy server had test results as recently as last month.
“Currently, TTS is not aware of any breach of unsecured protected health information as a result of the issues with its prior server. To our knowledge, no patient health information was actually compromised, and all risk has been mitigated going forward,” said Trenkle.
Trenkle said the company will comply with its legal obligations under state law, but stopped short of explicitly saying if the company plans to notify customers of the vulnerability. Although companies aren’t obliged to report vulnerabilities to their state’s attorney general or to their customers, many do out of an abundance of caution since it’s not always possible to determine if there was improper access.
TTS chief executive Lauren Trenkle, who was copied on an email chain, did not comment.