National health insurance info on 100,000 people leaked


Lists containing personal information related to around 103,000 people, including public health insurance card numbers, have been leaked, with some of the information sold off in what could be Japan’s largest ever case of data theft.

An official at the Health, Labor and Welfare Ministry said lists compiled by hospitals and pharmacies may have been leaked, and that the ministry has begun an investigation.

The revelation comes amid growing concern over the government’s handling of personal information ahead of the start next month of the My Number social security and tax number scheme, in which 12-digit ID numbers have been allocated to all residents of Japan.

“It is highly likely that they have leaked from multiple medical institutions,” said Harumichi Yuasa, a professor at the Institute of Information Security, adding a data leak of this magnitude involving medical information is unprecedented.

An official with a list brokerage firm that obtained some of the personal information said it had acquired the data from another broker in December 2008, and sold some of the information despite being surprised at how sensitive it was.

Health insurance cards, which can be used for identification purposes to open bank accounts and apply for credit cards, could be reissued by just providing card numbers, names and addresses, raising concerns the information could be used to commit fraud.

The leaked data included information on people in 46 of the 47 prefectures, largely in the western Kinki and Shikoku regions.

The records of about 37,000 people, the largest number, were exposed in Osaka Prefecture, followed by some 25,000 in Nara Prefecture and about 24,000 in Shiga Prefecture.

Kyodo News was able to obtain copies of the lists and confirm the accuracy of the names, addresses, birthdays and phone numbers of 44 people from 27 households who agreed to be interviewed. The public health insurance card numbers for 11 of them were also up to date.

It is believed the leaked data also included statements detailing health expenses and other records handled by medical institutions.

Following a massive customer data theft from Benesse Holdings Inc. in 2014, which affected at least 28.95 million customers, many institutions, including hospitals and other medical organizations, enhanced their security measures.

However, Hiroshi Fukatsu, head of the Aichi Medical University’s medical information division, said system maintenance service companies can easily steal such information through online methods, even from outside hospitals. “Anyone who knows how to do it can also delete the login history,” he added.

Since 2001, the government has encouraged the use of information technology to manage medical records as a way to improve work efficiency and cut costs. It also plans to let medical institutions share medical information under the new My Number system.

“Information such as the medical history is very sensitive and should be handled with utmost care,” Fukatsu warned.

“I used to think about it as somebody else’s problem,” said a 47-year-old woman from Otsu, Shiga Prefecture, whose information, as well as that of her relatives, had been leaked. “I had never felt the information was misused, but (knowing the data has been leaked) makes you feel uncomfortable.”

A 49-year-old taxi driver from the city of Osaka said the health insurance number he used over 10 years ago was leaked. He is now concerned a similar thing might happen when the My Number scheme begins.

The government says not all personal information will be exposed, even if the personal number is leaked. Still, the public remains largely skeptical and unconvinced.

A 52-year-old unemployed man also from Osaka said the My Number system is at risk of a leak. He added that he has no intention of applying for the identification card carrying his individual number because his personal information might get stolen.

“I am going to give my personal number to my employer but this news has frightened me,” a 67-year-old female part-time worker from Osaka also said

  • Aholl Urang

    Isn’t it wonderful, pay high taxes for protection when there is none.

  • GBR48

    It’s unlikely to be a bigger data breach than the Benesse one, if that affected 28.95 million people.

    You have to be able to ID people using a system like My Number if you are to obtain any of the cost, convenience and efficiency benefits from the use of computerised systems.

    Trading in illegal data needs to be treated the same way as trading in illegal drugs, so the guy from the list brokerage firm that sold some of this data would have gone to prison and his company would have been shut down. As would the individual he bought it off, and their company.

    The guy sold it ‘despite being surprised at how sensitive it was’, is a polite way of saying that he knew it was stolen but didn’t care: there was money in it, and he didn’t fear being fined and imprisoned, at least not enough to persuade him to do the right thing.

    I wonder what percentage of list brokers can verify the sources of the data they sell? Without that, they are cheerfully making money in a manner no different from that of an organised crime syndicate.

    The fault is not with having an ID system like My Number. The fault is in inadequately policing the security of data, failing to hand out fines and prison sentences to individuals, and failing to shut down any company that deals in or possesses any stolen data. If they cannot verify the original source as legit, they should fear the consequences of handling it so much, that they do not buy or sell it. They might also receive a financial reward for reporting to the police attempts to sell such data to them.

    There will always be data leaks, as there will always be people who break the law for gain. It is something we will just have to learn to deal with.

  • disqus_vBekJrf7g5

    I thought we Japanese were supposed to be too honest and trust worthy to do this sort of thing…
    I’m shocked I tell you, shocked!