Advertisement

We need your help now

Support from readers like you keeps The Journal open.

You are visiting us because we have something you value. Independent, unbiased news that tells the truth. Advertising revenue goes some way to support our mission, but this year it has not been enough.

If you've seen value in our reporting, please contribute what you can, so we can continue to produce accurate and meaningful journalism. For everyone who needs it.

File image from 2021 of a sign for the Vaccination Centre in Citywest, Dublin Alamy Stock Photo

HSE says ‘misconfiguration’ of Covid vaccine dataset did not result in ‘unauthorised viewing’ of data

The HSE said the incident did not require a Personal Data Breach report to the Data Protection Commission.

THE HSE HAS said a “misconfiguration” of its electronic dataset related to the roll-out of the Covid vaccine did not result in the “unauthorised accessing or viewing” of personal data.

The Covax system is an electronic dataset which records all Covid-19 vaccinations in Ireland and was used “for statistical and activity analysis”.

The data collection start date was 27 December 2020 and the HIQA website states that it “continues to this day”.

The data includes “person-identifying information” of individuals, as well as data on citizens who were not vaccinated by virtue of non-attendance.

HIQA adds that the data in Covax is accessed by staff in the National Immunisation Office for “the purpose of data curation and vaccination programme management”.

The “misconfiguration” is said to have occurred in December, 2021.

In a statement to The Journal, the HSE said “security considerations were at the forefront of the Covax deployment”.

However, the statement added that “when a system of this nature is put together under time pressure (as was the case as we established the Covid-19 vaccination campaign), misconfigurations can occur”.

“In this case an external source pointed out one misconfiguration which would have required deep technical expertise to exploit,” said the HSE spokesperson.

They added that the misconfiguration was “remedied” on the day the HSE were alerted to it.

“If someone accessed data, we would be able to see this in the detailed logs which we analysed,” said the HSE.

“Apart from the source who informed us of this issue, there was no unauthorised accessing or viewing of this data.”

The HSE said the data accessed was “insufficient to identify any person without additional data fields being exposed”.

As a result, the HSE said a Personal Data Breach report to the Data Protection Commission was not required.

In a statement to The Journal, a spokesperson for the Data Protection Commission said the “DPC has only become aware of this issue within the last 24 hours, and we will be engaging with the HSE on it”.

Readers like you are keeping these stories free for everyone...
A mix of advertising and supporting contributions helps keep paywalls away from valuable information like this article. Over 5,000 readers like you have already stepped up and support us with a monthly payment or a once-off donation.

Close
JournalTv
News in 60 seconds