'Police given secret access to hospital database'

[InfoSec News <alerts () infosecnews org>]

https://news.rthk.hk/rthk/en/component/k2/1463437-20190617.htm

rthk.hk
2019.06.17

The police were able to find and arrest people injured in last Wednesday's
extradition bill protests because officers have been given secret backdoor
access to the Hospital Authority's patient database, medical sector lawmaker
Pierre Chan said on Monday.

Chan said he has obtained evidence that police officers -- and other parties --
can use computers at accident and emergency units in public hospitals to access
a link -- without the need for a password -- to obtain patients' information
including their name, ID card numbers, phone numbers, age and the date and time
of their treatment.

He said the backdoor was designed by the Hospital Authority's head office, but
frontline medical staff only found out about it following the protest arrests.

"The doctors and nurses in the accident and emergency departments tried to find
out why the patients attending A&E got caught. And we didn’t understand. And
that’s why they tried to figure it out. And accidentally they found this link,
found this backdoor," Chan told a press conference on Monday.

"And this system is set up by the head office and also the IT system. It’s not
the frontline," he said.

[...]

--
Subscribe to InfoSec News
https://www.infosecnews.org/subscribe-to-infosec-news/
https://twitter.com/infosecnews_