An envelope containing a CD with the healthcare records of 5.3 million Danish citizens was mistakenly delivered to the wrong address, in the hands of an employee working at the Chinese Visa Application Service Centre in Copenhagen, Danish officials announced last week.
The incident took place on February 18, 2015, when Statens Serum Institut (SSI), a private healthcare organization, sent a CD via Post Danmark to the country’s Statistics Office. Due to a mistake made by the postal worker delivering the envelope, the package reached the Chinese Visa Application Service Centre, on the same street, a few hundred meters from the Danish Statistics Office headquarters.
Data on the CD not encrypted
The CD contained the personal and health information of 5,282,616 Danish citizens who resided in the country between 2010 and 2012. The data was not encrypted but did not include names and home addresses, according to a subsequent investigation by the Danish Data Protection Agency.
The same investigation revealed that the Chinese employee who received the letter also opened the package. Discovering the sensitive material on the CD, the same employee realized she received the envelope by mistake and later delivered the data to the Danish Statistics Office.
Authorities said they found no reason to doubt the Chinese Visa Applications employee’s explanation and would not pursue any charges against her.
Officials not pursuing charges against SSI
SSI published statements about the incident on March 20, 2015, and September 10, 2015. As such, the Danish Data Protection Agency claims SSI does not have to inform all affected parties about the accidental data exposure. The Agency also adds it will not be taking any further action against SSI.
Accidental data breaches happen all the time. The most recent case happened to Google in May, when one of the managers of a third-party benefits vendor sent a file containing sensitive information about Google employees to the wrong person.