Unauthorised access of personal data held by a clinical centre – DPP 4 – security of personal data
Background
A clinical centre reported to the PCPD that its servers containing patients’ personal data were attacked by ransomware, resulting in the malicious encryption of files containing personal data of around 100,000 patients. The hacker demanded ransom for the file decryption. The affected personal data included names, identity document numbers, telephone numbers, dates of birth, addresses, and medical records.
The incident was likely caused by the use of firewall firmware that was not up to date, which allowed the hacker to exploit an unpatched vulnerability in the firewall to remotely execute commands or programs through Secure Sockets Layer Virtual Private Network (SSL VPN) to acquire the credentials of an administrative account, and subsequently deployed ransomware and encrypted the files containing patients’ personal data. At the time of the incident, there was no policies or procedures in place relating to vulnerability and patch management.
Remedial Measures
Upon receipt of the notification from the clinical centre, the PCPD commenced an investigation against the clinical centre regarding the incident and served an Enforcement Notice on the clinical centre. In response to the incident, the clinical centre implemented remedial measures, including upgrading the firewall firmware, patching the vulnerability in question, and implementing a series of security enhancements on its information systems. To comply with the Enforcement Notice, the clinical centre devised policies and procedures related to application vulnerability and patch management, and implemented multi-factor authentication for all remote access users accessing personal data.
Lesson learnt
Healthcare organisations generally possess a vast amount of sensitive patient data, which inevitably makes their information systems targets for hackers. The incident highlighted that timely updates of security devices and software are crucial for maintaining information security. Software and device updates often involve patching vulnerabilities and weaknesses in previous versions to enhance system security. Organisations should devise clear security policies and procedures and implement measures to ensure compliance of staff members.
(Uploaded in February 2025)