[BreachExchange] China Investigating Data Leak and Swindling of H.I.V. Patients

Thu Jul 21 20:13:30 EDT 2016

http://www.nytimes.com/2016/07/22/world/asia/china-hiv-aids-leak.html

Bai Hua, the director of a support network based in Beijing for people with
H.I.V./AIDS, said he began receiving the messages about two weeks ago.
Hundreds of people with H.I.V. across China were reporting that they were
being called by someone who claimed to be from the government and had
access to their medical records and other personal information.

According to Mr. Bai, one man, who lives in Huangshan, in Anhui Province,
said that he received a call last week. The caller, who knew the man’s name
and the details of the case, said that he was with the city’s Center for
Disease Control and Prevention and that under a new policy, the man could
receive a subsidy of 4,680 renminbi, or about $700, for drugs and
treatment. The caller left a number the man could call for more information.

The man wrote down the number but grew suspicious because the area code was
for a different province. He messaged the Beijing support network,BHL China
League, and discovered that he was not the only one to receive such a call.
Mr. Bai said that, as of Wednesday night, more than 490 people with H.I.V.
had reported being contacted. Several were told that to receive the
subsidy, they needed to pay a service fee by online or A.T.M. transfer. So
far, Mr. Bai said, he has been told of 11 who were cheated out of sums
ranging from $100 to $10,000 each, for a total of more than $18,000. Some,
suspecting fraud, said they challenged the callers, only to be told that
their medical records would be made public if they did not pay.

The question that Mr. Bai and others are now asking is, How did these
fraudsters gain access to what is supposed to be confidential medical data?
And what might they do with that information?

“The swindlers clearly have detailed information about H.I.V. carriers,
including their names, ages, addresses, I.D., places of employment, even
information about their relatives,” Mr. Bai said. “That information could
only have been obtained from the Chinese Center for Disease Control and
Prevention, because only it has this information from all over the country.”

Under a government program that provides free antiretrovirals, people with
H.I.V. must submit personal and medical information to the center. Some
also need to register data with designated local hospitals to get the
drugs. According to the World Health Organization, more than 575,000 people
in China had H.I.V.in 2015.

“Given the scale of this, it’s not likely that it was a lower-level
organization that leaked the information,” Mr. Bai said.

On Monday, the World Health Organization and the Joint United Nations
Program on H.I.V./AIDS released a joint statement on Weibo saying, “The
leak of personal information of people infected with H.I.V. is a violation
of the fundamental right to patient confidentiality.” It urged the health
authorities to investigate how the information was disclosed and to step up
security measures.

Calls to the center this week went unanswered. According to the news media,
the center has reported the case to the police and has notified its
affiliates, asking them to warn patients about the fraud.

“Information about people with H.I.V. is emphatically protected in our
national information network,” the center said, according to People’s
Daily, the state-run newspaper. “After these swindles, the center has
undertaken emergency security measures and information security checks and
is upgrading security.”

Wu Zunyou, the director of the National Center for AIDS/S.T.D. Control and
Prevention under the center, wrote on Weibo on Sunday that “it’s illegal
and immoral to obtain H.I.V. carrier’s information to commit fraud.” On
Wednesday, Mr. Bai received a message from Han Mengjie, Communist Party
secretary of the national center, saying: “If you have detailed information
on how victims were swindled, please let us know. It’s useful for the
police investigation. All levels of our affiliated centers are cooperating
with the police on the investigation.”

Mr. Bai said that despite years of work by nongovernmental organizations
and civic groups and legal changes prohibiting discrimination, social
prejudice persisted.

“If you look at the comments on Weibo, you’d be surprised to see how many
people say ‘They deserve it’ or ‘Information on H.I.V. carriers should be
published,’ ” he said. “It reminds me that there’s still a long way to go
in China to achieve equal rights for H.I.V. carriers.”

In 2014, villagers in Sichuan Province petitioned to expel an 8-year-old
boy who tested positive for H.I.V.

That year, Spring Airlines, a Chinese budget carrier, refused to allow two
travelers with H.I.V. to board, saying their presence would disturb other
passengers. The two sued the airline and received about $13,000 in
compensation.

Mr. Bai said that another victim of the phone fraud, a man from Zhejiang
Province, told him that he did not notify the police for fear that the
information would be leaked to more people. The man said that the caller
had reached him at his office, and once his colleagues learned that he had
H.I.V., they began treating him differently. The man has since quit his job.

While awaiting answers as to how their medical data was hacked or leaked,
people with H.I.V. are worried about the possibility of new swindles or
blackmail.

“Now that it’s basically certain that our information is in the hands of
criminals, what will the authorities do to prevent more crimes from
happening?” asked a 28-year-old Beijing resident with H.I.V. who used the
name Luoluo on Weibo. “Will there just be an apology and then everybody
forgets about it, leaving the victims to their nightmares?”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160721/f0fd2285/attachment.html>