Health Data on Nearly Every Dane Sent to Chinese Firm

Sensitive medical data on almost the entire population of Denmark has been accidentally sent to a Chinese state-linked visa office.

The Danish Data Protection Agency (Datatilsynet) admitted the error last week.

It happened in February last year when two unencrypted CDs containing the data were posted by the State Serum Institute (SSI) – a government-funded organization tasked with combating infectious diseases.

They were apparently intended for Statistics Denmark, the country’s equivalent of the UK’s ONS, but the envelope containing the CDs ended up in the hands of the Chinese Visa Application Service Centre a few hundred meters away.

An employee at the center opened the envelope “by mistake” and then went to the Statistics Denmark office with it, explaining what had happened, according to an SSI explanation on the Datatilsynet site.

The SSI said it doesn’t believe anyone at the center accessed the data, and the watchdog claims it will take no further action, despite having previously told the SSI that data must be encrypted before being sent by post.

The data involved is highly sensitive, containing social security numbers as well as health information related to cancer, diabetes, psychiatric illnesses and more, according to Reuters. However, no names or addresses were included, according to the watchdog.

The visa office is not directly run by the Chinese state, but is apparently a unit of the state-owned Bank of China, so there are legitimate concerns that the data may have been accessed.

It was claimed after the infamous US Office of Personnel Management attacks that the Chinese state is building up a database of US citizens for strategic purposes which could further its geopolitical and military aims in the future.

Health information like that accidentally leaked by the Danish state would certainly be strategically useful for a foreign power.

In total, data on 5,282,616 citizens residing in the Scandinavian nation between 2010 and 2012 was on the two discs. The population at the time is said to have been around 5.5 million – which means most of the country is affected.

What’s Hot on Infosecurity Magazine?