A Mediapart investigation reveals that a major IT flaw in the Francetest platform has allowed access to more than 700,000 antigen test results. The site is however not authorized to feed the database of the government.
A computer breach made the results of more than 700,000 Covid-19 screening results accessible online, as well as the personal data of patients, according to a survey of August 31 by Mediapart, taken up by The world and AFP. This information was available until August 27 thanks to “a password which can be found, in clear, in a file accessible to all” on the Francetest site, according to Mediapart.
Asked by the information site, Nathaniel Hayoun, the creator and manager of Francetest, assured that security experts plancha on the problem, in particular to determine the possible exploitations of the flaw and the data made accessible.
A platform used by pharmacists to compensate for the lack of ergonomics of the SI-DEP database
The Francetest platform is used by pharmacists to send data from the Covid-19 screenings they perform to the SI-DEP database. The SI-DEP (screening information system) is a secure platform where the results of Covid-19 tests are systematically recorded in order “to ensure that all positive cases are well taken care of” and to identify cases contacts, explains the Ministry of Health on its site. Created in a hurry by the Assistance publique-Hôpitaux de Paris (AP-HP) last December, its lack of ergonomics has pushed some pharmacists to resort to intermediaries like Francetest, which coins its service to one euro.
A shadow on the table, however: the General Directorate of Health (DGS) sent an email on August 29 to pharmacists to remind them which software is approved and compatible with the SI-DEP, and Francetest is not one of them. It is indeed the Ministry of Health which “approves software compatible with SI-DEP”, recalls Mediapart. However, the ministry also confirmed to Mediapart that Francetest is “a site not authorized to supply SI-DEP and the responsibility therefore lies with the manager of the company”.
The Ministry of Health has not foreseen a sanction against the use of unauthorized software
As such, Mediapart raises certain legal ambiguities that revolve around the platform. Not appearing in the authorization list established by the ministry – although Francetest would have requested it – the decree adopted does not, however, provide for any sanction in the event of an infringement. Asked about this, the Ministry of Health admitted that “at this date, there is no legal obligation” but that a modification of the decree in order to correct the situation is planned.
Philippe Besset, president of the Federation of Pharmaceutical Unions of France, had already sensitized the authorities on this subject. “It’s been weeks and weeks that we alert the authorities to these companies which present themselves as labeled and facilitate the task of pharmacists to go to the SI-DEP”, recalls Philippe Besset according to AFP.
A report was made to the CNIL by the ministry, which for its part indicated that it had opened an investigation.