Skip to content

Case Notes

Case Notes

This case related to DPP4 - Security of personal data

Case No.:2022DB01

Unauthorised access to a clinical centre’s customer personal data system – DPP 4 – security of personal data


A clinical centre reported to the PCPD that its customer personal data system containing patient files had suffered a ransomware attack. As a result, about 115,000 records of patients’ personal data containing names, gender, dates of birth, HKID Card numbers, contact numbers and addresses, email addresses, occupations, family history and emergency contact information were leaked. The incident was caused by the use of outdated operating systems and software, which had left its system vulnerable to attackers.

Remedial Measures

Upon receiving the notification from the clinical centre, the PCPD initiated a compliance check and provided recommendations to the clinical centre to ensure compliance with the provisions of the PDPO. The clinical centre conducted a vulnerability scan on its systems, updated the relevant software and operating systems, and scheduled a weekly system update exercise to ensure that all software installed was up to date. It also agreed to engage an external cybersecurity company to conduct a security audit on its systems on an annual basis.

Lesson learnt

The use of outdated software and operating systems could expose a data user to severe security vulnerabilities. Healthcare organisations possess a huge amount of patients’ sensitive data and should therefore take reasonably practicable measures to ensure their systems are free from outdated or unsupported software to minimise the risk of exposure to cyberattacks. Healthcare organisations should perform periodic vulnerability scanning exercises to detect possible security vulnerabilities and take timely action to remediate them.

(Uploaded in February 2023)

Category : Provisions/DPPs/COPs/Guidelines : Topic/Subject Matter :