PUTRAJAYA, Feb 16 — A “super admin” account set up by person or persons unknown was found to have downloaded private information belonging to three million people through the Health Ministry’s MySejahtera (MySJ) app two years ago, Auditor-General Datuk Seri Nik Azman Nik Abdul Majid said in the second series of his report for 2021 released today.
The audit report said the account raised red flags as the personal information was downloaded from multiple internet protocol (IP) addresses.
The MySJ app had been developed initially to register residents in Malaysia for the Covid-19 vaccine in 2021 to curb the coronavirus spread that had battered the country’s healthcare system.
The national audit report scrutinised the app’s management from registration to the procurement and disbursement of the national Covid-19 vaccine programme and found that the ministry objects were largely met.
But it also found significant weaknesses in the MySJ that exposed its users to data risks or other dubious practices.
The audit report highlighted that there had been 1.12 million attacks into the MySJ app from October 27, 2021.
It also noted that 1,657 people had more than one MySJ identity registered.
Another 1,543 individuals were found to have between two and seven accounts that showed 3,108 MySJ identities with active status, verified identity and that they had been vaccinated.
“Registration and termination for the MySeiahtera and Malaysia Vaccine Administration System (MyVAS) Applications administrative management were done through backend scripts as user account cancellations can only be done through backend scripts.
“A total of 56 MyVAS Admins were created, with 29 users given to third parties and 10 users created as ‘general users’,” national auditors said in the report.
They noted that vaccination records showed that a total of 28,735 individuals were vaccinated at government-listed vaccination centres — or PPV as they are better known by their Malay abbreviation — after they were closed down.
The auditors also found 12,275 vaccination records that had been uploaded into the system were not complete.
Another 3.89 million records were uploaded more than one day after the date the individual was vaccinated while 203,846 records had been uploaded into the system before the date of vaccination and 46 records were not available in the system at all.
The auditors said 70 MySJ accounts belonging to people who have since died were still listed as “active”.
In his report, AG Nik Azman recommended the Health Ministry undertake the following measures to address these weaknesses and prevent a recurrence in its systems, especially since the MySJ app is still being used for a broader number of health matters.
“The Ministry of Health must ensure the management of user account for MySejahtera and MVAS applications is carried out in accordance with the Ministry’s ICT SecurityPolicies.
“The Ministry of Health must implement data housekeeping to ensure the availability, completeness and reliability of data.
“The Ministry of Health should conduct a thorough security assessment on the MySejahtera and MVAS applications and upgrade the security features to guarantee the security of the system and data,” he said in his report.
Apart from the Health Ministry, the audits in series 2 of the AG report were conducted on the National Security Council, Ministry of Science and Technology, Malaysian Administrative Modernisation and Management Planning Unit, the Perak Health Department, a private clinic in Presint 11 Putrajaya, and a PPV in Banting, Selangor.