COVID-19 Test Results at Risk: Website Bug Exposes Data

COVID-19 Testing Site Vulnerability Exposes Customer Data

A medical startup located in California, providing COVID-19 testing services throughout Los Angeles, has taken its customer results website offline. This action followed the discovery of a security flaw that permitted unauthorized access to personal information.

Details of the Incident

Total Testing Solutions operates ten COVID-19 testing locations across Los Angeles, processing a substantial number of tests weekly at various sites including workplaces, sporting events, and schools. Customers typically receive an email containing a link to the website when their results are available.

A customer identified a vulnerability allowing access to other individuals' data. By simply modifying a single digit within the website’s URL, they could view the names and test dates of other patients.

Weak Security Measures

The website’s security was further compromised by its reliance on only a date of birth for access to COVID-19 test results. The discovering customer noted that this system could be easily exploited through a brute-force attack – systematically guessing dates of birth.

Despite the presence of a login page requiring email and password credentials, the vulnerability bypassed this security measure. Direct access to the vulnerable section of the website was possible via URL manipulation, circumventing the standard sign-in process.

Reporting and Verification

Concerned about potential misuse, the customer reported the vulnerability to TechCrunch, hoping for a swift resolution. TechCrunch independently confirmed the findings.

Limited testing by TechCrunch indicated that approximately 60,000 test records were potentially at risk. The vulnerability was brought to the attention of Geoffrey Trenkle, TTS’s chief medical officer, who acknowledged the scope of the issue.

Company Response

Trenkle stated that the vulnerability was confined to an older, on-premise server used for legacy test results. This server has since been decommissioned and replaced with a new, cloud-based system.

“We were alerted to a possible security issue in our previous on-premises server that could have allowed access to certain patient names and results through URL manipulation and date of birth programming codes,” Trenkle explained in a statement.

He further stated that the vulnerability affected data collected at public testing sites before the implementation of the cloud-based server. Immediate action was taken to shut down the on-premises software and migrate data to the secure cloud system.

Further Questions and Mitigation

Trenkle did not disclose the activation date of the cloud server or explain why the legacy server still contained recent test results.

The company maintains that no unauthorized access to protected health information occurred. They claim all risks have been mitigated with the transition to the new system and have initiated a vulnerability assessment, reviewing server logs for suspicious activity.

Legal Obligations and Customer Notification

Trenkle indicated the company will fulfill its legal obligations under state law but did not confirm whether customers would be directly notified about the vulnerability. While not legally required, many companies proactively inform customers as a precautionary measure.

Lauren Trenkle, TTS chief executive, who was included in related email correspondence, offered no comment on the matter.

Additional Information

• Total Testing Solutions provides COVID-19 testing at multiple locations in Los Angeles.
• The vulnerability allowed access to patient names and test dates.
• The company has transitioned to a cloud-based system to enhance security.