Unauthorised access to a clinical centre’s customer personal data system – DPP 4 – security of personal data
Background
A clinical centre reported to the PCPD that its customer personal data system containing patient files had suffered a ransomware attack. As a result, about 115,000 records of patients’ personal data containing names, gender, dates of birth, HKID Card numbers, contact numbers and addresses, email addresses, occupations, family history and emergency contact information were leaked. The incident was caused by the use of outdated operating systems and software, which had left its system vulnerable to attackers.
Remedial Measures
Upon receiving the notification from the clinical centre, the PCPD initiated a compliance check and provided recommendations to the clinical centre to ensure compliance with the provisions of the PDPO. The clinical centre conducted a vulnerability scan on its systems, updated the relevant software and operating systems, and scheduled a weekly system update exercise to ensure that all software installed was up to date. It also agreed to engage an external cybersecurity company to conduct a security audit on its systems on an annual basis.
Lesson learnt
The use of outdated software and operating systems could expose a data user to severe security vulnerabilities. Healthcare organisations possess a huge amount of patients’ sensitive data and should therefore take reasonably practicable measures to ensure their systems are free from outdated or unsupported software to minimise the risk of exposure to cyberattacks. Healthcare organisations should perform periodic vulnerability scanning exercises to detect possible security vulnerabilities and take timely action to remediate them.
(Uploaded in February 2023)