Cyber Incident Victim: Department of Health, Hong Kong
Date:
Jul 2018
Location:
Hong Kong
Summary
Hong Kong's Department of Health experienced a ransomware attack affecting three computers across its Infection Control Branch, Clinical Genetic Service, and Drug Office, rendering certain files inaccessible through encryption. While attackers provided contact information for decryption keys, no ransom demand was issued, and authorities confirmed no confidential personal data was compromised or leaked due to available backups. Police initiated an investigation, suspecting financial motives behind the intrusion, potentially linked to unsafe browsing or email practices by users. The incident followed a global trend of healthcare sector targeting, including a major breach in Singapore, and aligned with recent local cyberattacks on telecommunications and travel companies involving data theft and extortion attempts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-July 2018, Hong Kong’s Department of Health experienced a ransomware attack affecting three computers across separate divisions: the Infection Control Branch, Clinical Genetic Service, and Drug Office. The infiltration occurred over a two-week period starting July 15, with attackers encrypting files on the compromised systems. A contact email address for obtaining a decryption key was left on the machines, though no explicit ransom demand accompanied the attack. Department staff discovered the incident when users could power on the devices but found critical files inaccessible due to the encryption. The department confirmed the affected computers did not store confidential personal information and emphasized no data leakage occurred. Backup systems containing identical data to the encrypted files remained available, minimizing operational disruption. Following government protocols, officials reported the incident to Hong Kong police and the Office of the Government Chief Information Officer for investigation.
Police investigators classified the incident as ransomware with suspected financial motivation, despite the absence of direct monetary demands. Forensic analysis suggested potential infection vectors included users accessing unsafe websites or interacting with malicious email attachments or hyperlinks. The attack occurred amidst heightened regional cybersecurity concerns following Singapore’s July 2018 breach of 1.5 million health records, including Prime Minister Lee Hsien Loong’s medical data. Hong Kong itself had experienced multiple significant breaches earlier that year, including January 2018 ransomware attacks against Goldjoy Holidays and Big Line Holiday travel agencies, and an April 2018 compromise of 380,000 Hong Kong Broadband Network customer records. The Department of Health incident reflected broader global targeting of healthcare systems, where attackers typically seek either ransom payments or resellable personal data. Police reiterated standard cybersecurity advisories, urging antivirus software deployment and caution regarding suspicious online content, while highlighting Hong Kong’s 14-year maximum prison sentence for blackmail offenses.