Leaked video exposes how patient data in Hong Kong public hospitals can be accessed by any user without needing a password

Public hospitals in city already under fire over concerns leaks led police to arrest those injured while protesting against a contentious extradition bill

Software developer says A&E program carries huge risk and was built with an ‘intentional back door’ that allows anyone to access data while leaving no trace

Reading Time:3 minutes

The Accident & Emergency Department Clinical Information System that is loaded in computers at public hospitals. Photo: Handout

Published: 9:27pm, 18 Jun 2019Updated: 11:51pm, 18 Jun 2019

Patient data at Hong Kong’s public hospitals can be accessed by any user with no need for a password, a leaked video shown to the Post and verified by multiple hospital sources has revealed.

Software developer Wong Ho-wa warned the program used in public accident and emergency (A&E) wards called AEIS carried a huge risk and was built with an “intentional back door”, allowing anyone to access patients’ files while leaving no trace.

It meant there was no control over who had permission to access the data and no way of monitoring who had seen it, Wong said.

Public hospitals in the city were already under fire over concerns that information leaks from hospitals had led police to arrest injured protesters who took part in demonstrations against a contentious extradition bill last Wednesday.

Dr Pierre Chan, the medical sector lawmaker said the program could be accessed without using passwords, prompting fear that such loophole had helped the police force identify protesters.