The “Registrų centras” (Centre of Registers) data leak scandal caused real chaos in Lithuania – especially when it was announced that data had been stolen since the beginning of January. However, “Registrų centras” claims to have learned about the theft only at the beginning of April – it then informed law enforcement, the Ministry of Economy and Innovation, and the Prime Minister about the leaked data. According to the Prosecutor’s Office, logins occurred through accounts of Migration Department employees that were compromised from abroad. The media had already reported that logins took place on weekends, in the early mornings, and late at night.
Read more Colombian President: Trump’s allies are drug traffickers
“Registrų centras” also did not bother to inform the public – finally, the data theft was reported only on May 22, when 15min journalist Jūratė Damulytė inquired about the leaked data from RC. The Prosecutor General’s Office, which initiated the pre-trial investigation, Prime Minister Inga Ruginienė, Minister of Economy and Innovation Edvinas Grikšas, and Minister of Justice Rita Tamašunienė also remained silent.
Currently, all the mentioned parties are tossing responsibility around like a hot potato – the Prime Minister claims she could not comment due to the ongoing pre-trial investigation, the prosecutor’s office asserts that no prohibition was applied to the Prime Minister to comment on the incident, but the prosecutor’s office itself did not inform the public because secret actions were being carried out. “Registrų centras” also claims it could not comment due to the ongoing pre-trial investigation. Although eventually, only the then-head of “Registrų centras” took responsibility by resigning from his position.
Anyone can log in
However, in the context of the “Registrų centras” story, another system supervised by “Registrų centras” – E.sveikata (e-Health) – received much less attention. E.sveikata, belonging to the Ministry of Health, is Lithuania’s national electronic health system, where patient health data is collected and managed. Last year, E.sveikata was mentioned in a different context because after the system was updated, it was non-functional for a long time, doctors had to issue paper prescriptions again, and the Prime Minister called the E.sveikata system a joke.
Although the “Registrų centras” data leak scandal is indeed scandalous, most of the leaked data is not particularly sensitive, except for personal identification numbers. In Northern European countries, real estate registry data is even publicly available.
It is different with health data – according to the European Union’s General Data Protection Regulation (GDPR), health data is considered special categories of personal data, also known as sensitive data, which are subject to greater protection. This data also includes a person’s sexual life or sexual orientation, racial or ethnic origin, biometric and genetic data, etc.
In the E.sveikata system, data such as diagnoses made by doctors, a person’s medical history, history of visits to doctors, issued electronic prescriptions, and personal identification number are available.
However, as the portal “Kas vyksta Kaune” (What’s Happening in Kaunas) found out, this data is not additionally protected.
Well-informed sources in the private and public healthcare sector informed the portal “Kas vyksta Kaune” that there are no restrictions in the E.sveikata system when checking a person’s health data – a doctor from any medical institution can check any patient.
Furthermore, a generated username and password are used to log in to the system, and no other restrictions are applied. Thus, a person can log in from any computer, at any time.
It is also interesting that many private and public institutions themselves apply much stricter criteria – allowing connections only during working hours or only from a specific IP address. According to the portal’s information, IP address restrictions are applied to Kaunas Clinics employees when connecting to internal systems (intranet), and hospital employees cannot connect from home.
“Registrų centras” can also apply similar restrictions – for example, a similar restriction is applied to journalists if, when signing a contract, it is specified to limit connections from a specific IP address. Then they could only connect to the media access from a specific IP address. Also, when residents connect to E.sveikata, they need to use additional identification tools. However, such restrictions are not applied to doctors.
The portal “Kas vyksta Kaune” has already received testimonies that doctors’ E.sveikata login data also circulates among medical institution staff – for example, reception staff working in medical institutions also receive them, and no restrictions are applied to them when logging into the system.
According to journalists, there have already been cases where the health data of certain patients – celebrities, criminals, missing persons – was massively checked. And this was done not by hacking into systems, but by login data being passed from hand to hand.
It is known in the public sphere that a particularly large number of registries have been hacked in Russia. However, in many cases, there is no need to hack systems – login data is sold by civil servants in Russia to earn extra money. And such a scheme is entirely possible in Lithuania – to access health data, it is enough to obtain login data.
According to testimonies, “Registrų centras” can see who viewed the data. However, according to sources, preventive measures are implemented very sluggishly and slowly – as shown by the “Registrų centras” data leak case. Although data had been stolen since January, “Registrų centras” noticed the theft only in April.
Systems poorly protected
An IT expert, who spoke with a journalist from the portal “Kas vyksta Kaune” on condition of anonymity, agreed to share his experience on how easy it is to access residents’ health data.
“All those systems are quite old and have security vulnerabilities that have existed for a long time. It was only until the “Registrų centras” hack that this was not publicly discussed. No one was hacking too many systems, and if they were, it didn’t come to light,” said the IT specialist.
This IT specialist previously had to test the security of a system used by a private medical institution. Doctors used the system for entering patient data, but the system was also integrated with E.sveikata. According to the specialist, most internal systems used by medical institutions are integrated with e-health.
“The connection with E.sveikata is quite simple – their system has authentication keys, with the help of which their system communicates with the E.sveikata system. This should not be accessible for any external use,” asserted the interviewee.
There is just one nuance – the mentioned systems used by clinics are public. Because doctors connect through the same website as patients, only using separate logins. And, according to the specialist, such a login method alone poses serious security threats.
“I wouldn’t even call it a system hack, but through open endpoints (access point, author’s note), you can find the entire system architecture, and after a bit more digging, also access the internal system. And it, as I mentioned, is integrated with E.sveikata,” explains the IT security specialist.
He recounts that even during this test, he himself saw that he could access E.sveikata patient data.
“I didn’t try to do anything through E.sveikata, but I could actually get in and take that data,” asserts the interviewee.
Read more Grill for the whole family: what to grill so that both the youngest and grill fans will eat
“If I had any intention to hack, I would first look at what software medical institutions operating in Lithuania use; this information is easy to find even through public sources. Then I would find a clinic that uses that software and try to get in, as I mentioned, this is often possible even through publicly accessible endpoints,” explains the specialist.
According to the interviewee, something similar likely happened in the case of “Registrų centras” as well.
“Access to the system itself occurs not by hacking it, but by misappropriating data, as was the case with “Registrų centras” (…).
I think E.sveikata should look into this. All doors are open, and there’s even a sign on the door – ‘Please come in’,” concludes the IT specialist.
“Registrų centras” does not plan to change procedures
“Kas vyksta Kaune” sent an eight-question block about E.sveikata data protection to “Registrų centras” representatives – we waited a week for a response.
Mindaugas Samkus, a representative of “Registrų centras” for the media, stated that the E.sveikata system consists of the central Electronic Health Services and Cooperation Infrastructure Information System (ESPBI IS) and internal systems (HIS) used by healthcare institutions. Some institutions have their own developed and maintained internal systems, while others use solutions created by private service providers.
Nevertheless, M. Samkus asserts that all data viewing instances are recorded in the e-health portal, and internal systems are managed by the institutions that operate them.
“Through the e-health portal (esveikata.lt), the registration of all data viewing instances is ensured – it records who, when, and what data was viewed. This information is stored indefinitely, and patients also have the opportunity to access this data.
Meanwhile, the registration and storage of views carried out through the internal information systems (HIS) of healthcare institutions are ensured by the institutions themselves. In these cases, responsibility lies with the institutions, as data controllers and processors, who must organize data processing in compliance with applicable legal acts, including personal data protection and information system security requirements,” stated M. Samkus.
Also, according to the “Registrų centras” representative, in the patient portal, each patient can view how many times, when, and who viewed their health data related to a visit to a healthcare institution. However, the institutions themselves are responsible for registering and storing views carried out in the internal systems of healthcare institutions.
We then asked about restrictions on viewing data – can every doctor view any patient’s data? The answer is affirmative, as the only factor is the doctor’s professional qualification.
“Restrictions in E.sveikata exist according to the doctor’s professional qualification. Doctors can view health data with the rights provided in the ESPBI IS usage procedure description,” emphasized the “Registrų centras” representative.
Personal health data can also be seen by doctors whom the patient has never visited in their life.
“If a patient comes to an institution where they are not registered, and a visit record is created for them in E.sveikata at that healthcare institution, then the specialists of that institution can provide services and see their health data according to the doctor’s professional qualification. These principles are established in legal acts. Patients in Lithuania can receive healthcare services at any medical institution, regardless of where they are registered,” explained M. Samkus.
We asked “Registrų centras” why there are no restrictions on login time or location. According to M. Samkus, some healthcare institutions operate 24/7, so they must have access to patient health data throughout their working hours. Therefore, there are no time-of-day restrictions.
M. Samkus also stated in his answers that other restrictions are applied – for example, the ability to log in only from the internal network of a healthcare institution. However, this explanation is not entirely correct, as such a restriction can be applied (and often is applied) to internal information systems, but not to E.sveikata.
“It is important to mention that a doctor can only access a person’s health data after creating a visit document – this fact remains visible permanently (also to the patient),” adds M. Samkus.
Finally, we asked whether “Registrų centras” would see a need to change the current data protection procedures, and what measures “Registrų centras” is taking to prevent cases of health data theft.
The first question was answered vaguely – it was stated that “Registrų centras” is guided by the requirements for state information systems, so data protection is supposedly ensured.
“Registrų centras, as the main administrator of the E.sveikata system, is guided by the requirements for state information systems, the ESPBI IS regulations, and other legal acts that specify how the system must operate, who has the right to receive and provide data, and what mandatory authentication measures are required. “Registrų centras” ensures the necessary technical cybersecurity measures for the system but does not evaluate the justification of access rights established in legal acts,” stated the “Registrų centras” representative.
The “Registrų centras” representative also stated that RC takes “preventive control measures” and if a patient or law enforcement institution contacts them, they check audit log information on who connected and when.
“In the healthcare process, specialists’ activities or access to data cannot be unreasonably restricted, therefore the main focus is on preventive control measures – access rights management and traceability. “Registrų centras” constantly evaluates and improves measures for identifying possible cases of unauthorized access to health data (…).
If a patient or law enforcement institution contacts “Registrų centras” regarding a possible unjustified viewing of patient health data in ESPBI IS, in such cases, the ESPBI IS audit log information is evaluated: which user, when, and what patient data was viewed, on behalf of which personal healthcare institution the connection was made, and whether an active visit/service provision basis was registered,” stated M. Samkus.
Read more The US states that a trade agreement with the EU can address concerns about forced labor
