According to LogBox, some elements in TechCrunch’s report regarding a security lapse at the company are inaccurate.
The company said that based on preliminary legal advice, the actions of Anurag Sen, the security researcher, as well as TechCrunch, may have constituted wrongdoing in either or both of the US and South Africa.
LogBox has therefore said that it is exploring legal options against the parties, even though it is yet to pinpoint which particular elements of the report are 'inaccurate'.
TechCrunch had reported that security researcher, Anurag Sen on Twitter recently discovered an exposed database belonging to South African medical data startup LogBox.
The exposed data included the account access tokens for thousands of LogBox users. Sen stated that the tokens could be used to gain complete control of someone’s LogBox account without needing their password.
According to the report, Sen tried to alert LogBox to the data leak but received no response from the company. TechCrunch reported that when it asked LogBox to comment on the story, the database was taken offline.
Launched in South Africa on 2 June 2016, LogBox offers an easier option to patients to provide their personal information to healthcare providers without having to fill in forms at every medical practice that all ask the same questions.
“Patients’ electronic information is captured once and then shared multiple times in the future with other medical practices that subscribe to LogBox, with explicit consent,” the company had said at the 2016 launch.
The app was billed as a step towards digitising South African medical practices whilst complying with the Protection of Personal Information Act (POPIA).
“It has been engineered by our team to be scalable, accommodating large numbers of users, adheres to global best practices in security, and is compliant with current POPI legislation,” LogBox’s development partner, EPI-USE, said at the time.
Backing the move, Lancet Laboratories announced on November 14 2017 that it had partnered with LogBox to introduce paperless patient intake at sites across South Africa, setting early 2018 as a date for the completion of this integration.
The news of this data leak however broke on July 1st 2020, the day that significant portions of POPIA came into effect.