LogBox has told MyBroadband that elements of TechCrunch’s report regarding a security lapse at the company are inaccurate.
The company said that based on preliminary legal advice, the actions of Anurag Sen, the security researcher, as well as TechCrunch, may have constituted wrongdoing in either or both of the US and South Africa. LogBox said that it is exploring legal remedies against the parties.
Data that was exposed included the account access tokens for thousands of LogBox users. Sen stated that the tokens could be used to gain complete control of someone’s LogBox account without needing their password.
According to the report, Sen tried to alert LogBox to the data leak but received no response from the company. TechCrunch reported that when it asked LogBox to comment on the story, the database was taken offline.
LogBox launched in South Africa on 2 June 2016, offering a way for patients to provide their personal information to healthcare providers without having to fill in forms at every medical practice that all ask the same questions.
“Patients’ electronic information is captured once and then shared multiple times in the future with other medical practices that subscribe to LogBox, with explicit consent,” the company said at the launch.
The app was billed as being a step towards digitising South African medical practices in a way that is compliant with the Protection of Personal Information Act (POPIA).
“It has been engineered by our team to be scalable, accommodating large numbers of users, adheres to global best practices in security, and is compliant with current POPI legislation,” LogBox’s development partner, EPI-USE, said at the time.
Lancet Laboratories announced on 14 November 2017 that it had partnered with LogBox to introduce paperless patient intake at sites across South Africa.
The national integration of LogBox into Lancet’s intake system was set to be completed by early 2018.
News of this data leak comes on the day that significant portions of POPIA came into effect, though it should be noted that businesses have been given at least a one-year grace period to comply with the law.
MyBroadband asked LogBox for comment on the data leak, but the company did not respond by the time of publication.