Case Notes

IT system containing over 11,000 unencrypted patients’ records being hacked – DPP 4 – security of personal data

Background

A government department reported to the PCPD that its IT system had been hacked. The intruded server contained over 11,000 unencrypted temporary files, which included patients’ personal data like their names, Hong Kong Identity Card numbers, gender, clinical histories and assessments. The department suspended the server immediately, and its subsequent investigation revealed that less than 4% of the temporary files might have been accessed or downloaded by the hacker.

The department’s investigation also revealed that the temporary files were generated by an Application Programming Interface which was not deleted immediately after use, owing to a programming bug. Although the programming bug had already come to the department’s knowledge several months before and the department had since conducted the first batch deletion, the remaining files were still susceptible to hacking.

Remedial Measures

The department identified the security vulnerability during the investigation and subsequently rectified the programming bug. It also conducted a comprehensive security risk assessment and privacy impact assessment before the resumption of its IT system. The following long-term measures were recommended and devised to prevent recurrence of similar incidents:

1. Migrate the IT system to the e-Government Infrastructure Service provided by the Office of the Government Chief Information Officer in one year with a view to enhancing system security;
2. Acquire an IT security consultancy service to enhance system security and monitoring; and
3. Acquire resources to strengthen the in-house support team and minimise the reliance on its contractors.

(Uploaded in July 2022)