Security lapse at South Africa’s LogBox exposed user accounts and medical data

LogBox, a South African medical data startup that bills itself as an “absolutely secure” way of replacing paper forms for sharing patient data with doctors, has exposed user accounts and patient data following a security lapse.

Security researcher Anurag Sen found an exposed database belonging to the company containing account access tokens for thousands of LogBox users, which if used would grant full access to users’ accounts without requiring their password, Sen said.

Sen reported the exposed database to the company but did not hear back. After TechCrunch reached out, the database was pulled offline.

When reached, LogBox director Neal Goldstein declined to comment by our deadline or answer any of our questions, specifically if LogBox planned to inform users or customers that data was exposed or if the company plans to report the incident to regulators.

Founded in 2010, LogBox has become a rising star in South Africa, just last year partnering with Lancet Laboratories, a medical diagnostics company that operates in 11 African countries.

South Africa is one of Africa’s top tech hubs, attracting $206 million in VC in 2019, according to Partech.

Health tech ventures have been on the rise across Africa, with medical related startups accounting for a third of all investment deals on the continent in 2019, per WeeTracker’s last annual investment report.

LogBox’s database exposure comes as South Africa’s new data privacy laws — advanced by the country’s president Cyril Ramaphosa — take effect on July 1.

South Africa’s Protection of Personal Information Act (POPIA) seeks to better safeguard personal data and protect against data breaches, per a statement of the country’s president.

The measure includes guidelines that apply to LogBox’s business activities and database exposure.