The data of the swabs for the positivity to Covid have not been properly stored and the Privacy Guarantor made itself heard, by initiating an investigation against Ats Milano for the violation of the pr ivacy. Not only that: the Guarantor also made a complaint relating to the Lombardy Region platform One click buffer.

The Ats Milan: data of positive swabs for Covid accessible to all

Digitization is running faster and faster, especially in time of Covid, when even healthcare companies have had to very quickly start digital transformation processes to simplify access to services which, with mobility limitations, must also be accessible via digital tools. Objectively, we have seen a notable effort from Regions, Municipalities and other Public Administrations. The results, however, leave something to be desired. Ats Milano has activated the service for some time Milano COR , where they were registered data of positive swab patients . Anyone could interrogate the service and quickly access the results of the swab, obtaining information on how to behave. An intelligent solution, but undermined by a serious flaw: in fact, to obtain the information, it was enough to enter a tax code and a telephone number (any one!). The problem is that due to the way the procedure was structured, until a few days ago anyone could access the data of all patients or, better, know if someone had tested positive for Covid. In fact, it was enough to enter the tax code of a person and any mobile phone number: if the person to whom the tax code was registered was positive, the system replied with a message specifying that the user was already registered, suggesting access to the portal with credentials. Thus revealing the positivity of the person.

A lightness, which however on paper allowed anyone to check if others were present in the positive database : the tax code, moreover, can be easily deduced by knowing basic information such as name, surname and date of birth. As soon as it became aware of the problem, Ats Milano changed the procedure, which now requires a login regardless, but the damage was now done, and the Privacy Guarantor could only intervene.

The Tampone case in a Click by the Lombardy Region

The question of the site Buffer in a Click of the Lombardy Region is not very different from that of Ats Milan COR. The Swab in a Click service allows you to obtain the results of the swab quickly and without going to the offices: just be in possession of the health card. To view the results, in fact, just (the service is still active) enter the tax code (very easy to obtain information), the last 5 numbers of the health card and a telephone number, also in this case any one, not necessarily linked to the specific health insurance card.

Although a little more difficult to evade than Ats Milano, it is not so difficult to obtain a person’s health card: let’s think of an employer, who has available, and that he could abuse it.

The covid accelerates digitization, but the results leave to be desired

These two examples show how Public Administrations are still far behind in terms of digitization. If on the one hand it is to be admired that in a rather short time the institutions have set up platforms to support citizens, with all the complications due to the health emergency, on the other hand the results show us that many have been done, too many mistakes. Starting from the INPS disaster in March, to arrive – months later – at the click day of the mobility voucher and these problems on the platforms. Problems that are not technical, but precisely cultural: we are not talking about a bug that allows illegal access to the platform, but about botched and ill-conceived procedures. Perhaps designed to simplify access for everyone, even those unfamiliar with digital tools, but unacceptable in terms of privacy: we are talking about health data, not trivial details.