Primary Healthcare Commission announces suspected intrusion into outsourced network system of operator of Kwai Tsing District Health Centre
******************************************************************************************
The Primary Healthcare Commission (PHC Commission) under the Health Bureau announced yesterday (April 29) that the PHC Commission received notification from the Kwai Tsing Safe Community and Healthy City Association (KTSCHCA), the operator of the Kwai Tsing District Health Centre (Kwai Tsing DHC), on April 28 on suspected hacking of its outsourced service provider’s network system, resulting in possible leakage of members’ data. The PHC Commission is highly concerned about the incident, and has instructed the KTSCHCA to seriously follow up and to submit a report within three working days.
According to the notification from the KTSCHCA, the system involved is managed independently by its outsourced service provider, and is mainly used to assist with administrative work such as service booking or members sign-in at the Kwai Tsing DHC. The outsourced network system was hacked last Sunday (April 27), resulting in possible leakage of members’ data, including names, membership numbers, dates of birth, residential districts (not full addresses) and the first four digits of the Hong Kong Identity Card of some members who have enrolled in a vaccination programme. The KTSCHCA is currently assessing the possible number of members of the Kwai Tsing DHC affected and the data involved.
The PHC Commission noted that the KTSCHCA has reported the incident to the Police and the Office of the Privacy Commissioner for Personal Data, and has also informed the Digital Policy Office of the incident. As required by the PHC Commission, the KTSCHCA has immediately suspended the operation of the Kwai Tsing DHC’s network system and all external connections to its computer servers to prevent further intrusion attempts by hackers. The KTSCHCA has also commissioned an independent cybersecurity expert to conduct an investigation and review. In view of the system suspension of the DHC, the appointments on blood taking and seasonal influenza vaccination of relevant DHC members will be rescheduled starting from yesterday. The operator of the Kwai Tsing DHC has started to notify the relevant members via phone calls and text messages, and will also inform all its members of the hacking incident. Members of the public may contact the DHC at 1878 222 for enquiries.
The system involved does not have any direct connection with the systems of DHCs/DHC Expresses in other 17 districts in Hong Kong. The operators of other DHCs/DHC Expresses have not outsourced or used the system involved. The PHC Commission has urged the operators of other DHCs/DHC Expresses to review their network systems, including the systems of their outsourced service providers, the computer security risk, and whether any suspicious activities have occurred. The PHC Commission has not received any report of similar incidents.
Besides, the Kwai Tsing DHC is a registered healthcare provider on eHealth. Currently, it connects to eHealth through the designated clinical management system (CMS) specified by the PHC Commission to assist members in registering with eHealth, managing members’ participation in government-subsidised healthcare programmes and facilitating service referrals, etc. The system involved is independent of both the designated CMS and eHealth, with no direct system interfaces. Investigations also revealed that there was no intrusion into eHealth by hackers or any leakage of personal data from eHealth. However, for prudence’s sake, upon receiving notification of the incident, the Commissioner for the Electronic Health Record (eHRC) has suspended the eHealth registration of the operator concerned, in order to protect data privacy and system security of eHealth. During the suspension period, the Kwai Tsing DHC is unable to access to any electronic health record in eHealth. The eHRC will only resume the connection of Kwai Tsing DHC with eHealth, after conducting a careful assessment of the detailed report submitted by the Kwai Tsing DHC and confirming that the security risks of the system are fully eliminated.
The Government emphasised that it has always attached great importance to cybersecurity. The PHC Commission is conducting a comprehensive review of the incident, including whether the cybersecurity measures of the KTSCHCA are in compliance with the requirements stipulated in the DHC operation contract, and will further strengthen the protection measures to prevent the recurrence of similar incidents.