A database containing access keys for thousands of patient records held by SA medical data startup LogBox was exposed to potential hackers.
A security researcher discovered a vulnerability on LogBox’s systems that allowed him to gain access to an external database with access tokens for users. According to the researcher, these tokens can be used to get access to user accounts.
LogBox says the vulnerability has since been rectified and it will inform affected users pending an internal investigation.
In reply to questions from Business Insider South Africa, the company explained that “the vulnerability was in a network firewall, rather than in the LogBox application itself. Specifically, it was a case of an unguarded network port, through which access was obtained to a separate (external to LogBox) database of traffic logs, being used for usage-monitoring and technical support purposes.”
The vulnerability comes just after South Africa’s massive new data privacy law, the Protection of Personal Information Act of 2013 (or Popi) comes into effect.
LogBox was founded in 2010 as a way to help you fill in medical forms. Instead of having to fill in loads of forms when you visit a new doctor, your medical information is kept by LogBox, and can be viewed on the app or website.
The company boasts that your “information is secured according to the highest international standards.”
However, TechCrunch reported that a security researcher, Anurag Sen, managed to find a database containing access tokens for thousands of LogBox users. With these tokens, you could gain access to user accounts without needing to know their password, Sen told TechCrunch.
Sen reportedly informed LogBox of the vulnerability but did not hear back. The database was then apparently pulled after TechCrunch reported on the vulnerability.
LogBox is used, or has been trialed, by Lancet Laboratories, Netcare Waterfall City Hospital, and the Wits University Donald Gordon Medical Centre.
Under Popi, companies are required to inform the new Information Regulator and its users of data breaches, although companies have a one year grace period until July 2021 to comply with the Act.
The company says that it “will file a report as a precautionary measure and as matter of course, even though what transpired may not constitute a reportable event under the newly-promulgated Popi regulations.”