OSAKA -- The government of this Japanese city leaked its login ID and password for the central government's COVID-19 patient information-sharing system to seven residents, it was announced on April 27.
The Osaka Municipal Government reportedly gave a document to seven people who had filed information-disclosure requests without masking the URL, email address used as an ID, or the password for the patient information management system HER-SYS. With the login information, it was possible to browse patients' personal information on the system, but apparently none of the seven logged in.
The city had temporarily commissioned data entry work on HER-SYS to a private company, and the login information was in its operation manual. The seven residents who had requested information disclosure received the document in sequence between March and April.
This information should not have been made public, as people could register fictional patient information if they logged in. The city government explained that an employee who responded to the requests had not masked the login information in the manual because they had thought it was only an example and could not actually be used to log into the system.
According to a municipal public health center, logins require two-step verification using an employee's cellphone, but practically all logins are approved. An official said, "It was highly possible that someone could have logged in (to HER-SYS) on a whim." The city government said that it confirmed by contacting the seven residents that none of them had actually logged in.
Upon receiving a report from an individual who requested the information disclosure, the Mainichi Shimbun made an inquiry with the municipal health center on April 22, and the password was changed the following day. A representative at the health center's infectious disease response division said: "We made it public without sufficient checks. It was an inappropriate response."
(Japanese original by Masaki Ishikawa, Osaka City News Department)