Denmark accidentally sent the healthcare information on 5.3 million of its citizens to a Chinese agency based in Copenhagen.
On 16 July, officials at Datatilsynet, Denmark's Data Protection Agency, acknowledged the incident and revealed it occurred entirely "by mistake."
As quoted in a statement released by Datatilsynet:
"[The] Data Protection Agency … [acknowledges] the case where Statistics Denmark [on] February 18, 2015 [notified the] Data Protection Agency that a registered mail shipment from the Statens Serum Institut (SSI) to Statistics Denmark by mistake had been handed over to the Chinese Visa Application Centre. The letter … contained two CDs with data that was open when Statistics Denmark received it."
SSI is a Danish public sector research institute that works to combat infection diseases, congenial disorders, and health-related threats arising from weapons of mass destruction. It's located on the island of Amager in Copenhagen.
The two unencrypted CDs contained data on 5,282,616 people residing in Danish municipalities between 2010 and 2012. Denmark's total population in 2012 was about 5.5 million.
That information was of a "very comprehensive nature," the agency said. While the CDs didn't include any people's names or addresses, it did consist of healthcare data pertaining to conditions such as cancer, diabetes, and psychiatric disorders, reports Reuters.
The letter is also thought to have contained people's personal information, including their social security numbers.
A postal worker was supposed to deliver the CDs to Statistics Denmark in Copenhagen. By accident, they delivered it to the Chinese Visa Application Service located on the same street as Statistics Denmark just a few hundred meters away.
An employee at the Chinese agency received the package and opened it. Upon realising the post had delivered the letter to her by mistake, she brought it to Statistics Denmark.
Danish officials have found no reason to believe the employee of the Chinese Visa Application Service violated the confidentiality of the package's information in any way. As such, Datatilsynet does not feel it needs to notify those affected by the breach on an individual basis.
At this time, it intends to take no further action.
This is not the first instance of an accidental breach. On 1 September 2015, the London-based NHS clinic 56 Dean Street accidentally sent out a newsletter containing HIV resources to 781 subscribers whose email addresses were entered into the "to" field. As a result, recipients could view the email addresses (and in most cases full names) of all the newsletter's subscribers.
More recently, Google notified some of its employees of a data breach when a third-party vendor accidentally sent a document containing their sensitive personal information to a benefits manager.
To prevent against an accidental breach, it's the organisation's job to educate their employees about the risk of correspondence being delivered to the wrong recipients. Organisations can fulfil this responsibility by making use of an eLearning product such as those offered by Metacompliance to help employees learn their security and compliance policies.
For more information on how Metacompliance can revolutionise your employee security awareness training, please click here.