Security slip up at South African medical startup LogBox may have exposed users’ medical information

Security slip up at South African medical startup LogBox may have exposed users’ medical information

LogBox is a South African medical startup that allows patients to store and share their medical information with medical practitioners. The model of the business is to be a digital intermediary, eliminating the need for patients to fill out physical medical forms.

The application is also used by academic institutions as an electronic portfolio and a logbook for registrars, supervisors and heads of departments.

Over the years they have partnered with Lancet Laboratories, NetCare, Wits University Donald Gordon Medical Centre, College of South African Medicine, MEDeMass and may others.

Data exposure

In a report by TechCrunch, Anurag Sen a security researcher found an exposed database belonging to LogBox. The database contained account access tokens for thousands of LogBox users, which if used would grant access to user’s accounts without needing their password.

Sen reported his findings to LogBox but didn’t hear back from them. After Techcrunch reached out they said the database was pulled offline.

Another take on the exposure

DataBreaches.net reached out to both LogBox and Anurag Sen to find out more about the situation. Anurag Sen said that the tokens provided access to users’ medical information.

LogBox however gave a different answer. They said that the vulnerability was not the app itself but was in a network firewall. This problem first occurred in November 2019 and affected a survey form introduced as a new feature.

“Based on our forensic work to date, a maximum of 25,000 survey forms, predominantly relating to pilot or test data, were potentially exposed. The open port enabled access to a separate and external database of traffic logs that were being used for usage-monitoring and technical support purposes.”

LogBox Representitive

When DataBreaches.net asked if any patient information was accessible through the survey forms the LogBox representative said:

Yes. That said, please note that the data that was lost constituted network tokens, which could theoretically have been used to access the survey form for the 3 users, and only that survey form’s contents. There is however, no evidence based on the forensic examination thus far, that the tokens were actually used to access the forms. Our view at present is accordingly that no actual patient data at all, was exposed. Rather, it was network traffic-related data.

LogBox Representitive

Conclusion?

What DataBreaches.net concluded was that it was a vulnerability not a breach. They also said that LogBox failed to take advantage of Anurag Sen’s findings. He acted responsibly in notifying them of the issue with their database.

LogBox could have got ahead of this and been able to secure their systems. Anurag Sen could have also provided them with valuable knowledge on how to better secure their databases.

The company say that they are working to ensure that something of this nature doesn’t happen again.

This vulnerability comes as The Protection of Personal Information Act came into effect on the first of July in South Africa. This act includes measures and guidelines that apply to LogBox’s core business model. Zimbabwe is also in the middle of a legislative process to craft a cybersecurity and data privacy law. Currently there is a draft bill that the parliament will be taking to the public hearings around the country next week.