The New Zealand Ministry of Health ordered a review of all systems made by the developer Valentia Technologies, which also makes software used by the Ambulance service, many GP practices and the managed isolation and quarantine system. This comes after a data breach in the national COVID vaccine-booking system, that had led to exposure of personal information of more than 700 patients.
“It is not a coding error. It is incompetence. The developer who developed this is incompetent… This is basic stuff,” said the man who spotted the booking system problem.
“The source code of the website, flagged a few concerning features, including someone’s name, and an NHI number hard coded into the website, for what reason? I don’t know,” he said. “We could see everyone’s details. We skimmed through, we didn’t look at names, but their names, dates of birth, NHI numbers for those who entered them, contact details, where they were getting their vaccinations, what time they were vaccinated.”
It appeared that Canterbury DHB had used a modified internal system to create the booking system. “You can tell by the source code, this was never meant to be a public facing website. This was only for people to use on like iPads, in doctors’ surgeries, it was not supposed to be for this.“