OSAKA – The government of this Japanese city has leaked its login ID and password for the central government’s COVID-19 patient information sharing system to seven residents, it was announced on April 27.
The Osaka municipal government reportedly handed over a document to seven people who had filed information disclosure requests without obscuring the URL, email address used as their login, or information management system password on HER-SYS patients. With the login credentials, it was possible to browse the patients’ personal information on the system, but apparently none of the seven were logged in.
The city had temporarily commissioned data entry work on HER-SYS from a private company, and the login information was in its user manual. The seven residents who had requested disclosure of information received the document in order between March and April.
This information should not have been made public, as people could record fictitious patient information if they logged on. The city government explained that an employee who responded to the requests did not hide the login information in the manual because he thought it was an example and could not be used to log into the system.
According to a municipal public health center, logins require two-step verification using an employee’s cell phone, but virtually all logins are approved. An official said: “It was quite possible that someone logged in (to HER-SYS) on a whim.” The city government said it confirmed by contacting the seven residents that none of them had actually logged on.
After receiving a report from a person who requested information disclosure, the Mainichi Shimbun made an inquiry to the municipal health center on April 22, and the password was changed the next day. A representative from the health center’s infectious disease response division said, “We released it to the public without sufficient verification. It was an inappropriate response.”
(Japanese original by Masaki Ishikawa, Osaka City News Department)
