English Articles

Recent Top 10 Data Breaches – No. 9: UCLA Health

Online Platform     :       UCLA Health Network System

Year                          :       July 2015

Affected Patients :       4.5 million

Incident                   :       System hacking and leakage of health data


UCLA Health, stands for University of California, Los Angeles Health, is a medical group comprised of 4 hospitals, claiming that they are providing the best healthcare and medical technology to the people in LA and the world.

Interestingly, according to the UCLA website, they have more than 200 physicians are listed among the Best Doctors in America. Each year, there are more than 100,000 patients are admitted into their hospitals.

But that’s not the point.

Internet Hacking, still

It was reported that in May 2015, hackers had hacked into the UCLA Health network system. There was about 4.5 million patients’ personal data and sensitive information on their health records had been compromised.

It would essentially mean that the 4 hospitals and other medical offices that inter-connected to the network system had been exposed to the internet hackers.

The data that had been accessed and potentially being “hacked” by the cyber-attackers comprised of social security numbers, dates of birth, addresses and medical information such as lab test results, diagnoses, medications and other health data.

So What’s The Issue Here?

Number 1 – Data Profiling.

The health records that were stored electronically would be beneficial in profiling a patient’s medical record, possibly enable related industry player such as pharmaceutical company to advertise and sell their products to such patient.

Further, this sensitive medical information may as well include high degree sensitivity data such as HIV test result, exposed such patient to unprotected and highly unsecured risk in revealing these data publicly which was meant to be own privacy.

Number 2 – No Data Encryption.

UCLA Health confirmed that their electronic medical records / data had not been encrypted, causing the personal data was exposed in a “naked” manner, by such analogy.

“Encryption” essentially means an extra step to secure and transform the data intended to be protected into another form by using a key (password). The intended recipient could “decrypt” the encrypted data back to original form.

Let’s use a patient’s HIV test record as an example.

Record ABC (HIV record) + Key (Encrypted) –> XYZ (secured data).

XYZ couldn’t be recognised even you have such data on hand.

XYZ (secured data) + Key (Decrypted) –> Record ABC (HIV record).

As such, the hackers that accessed and possibly stole the 4.5 million patients’ data were able to read the information easily without any challenges, as in a “naked” manner, because those data weren’t wearing any clothes.

More Interesting Facts – Identity Theft Insurance Coverage

Following the leakage of the personal data, UCLA announced that they were offering a year of identity-theft insurance protection to those affected patients.

An identity-theft insurance policy means that if your identity is stolen (which mean your personal data) and because of such incident, you suffered financial losses such as the hacker log in to bank account and siphoned out the money, the insurance company will cover the victim’s financial losses up to certain insured amount.

However, a loss of personal data would beyond pure monetary loss. Imagine the HIV test result has been made publicly, it is arguable that the damage on the reputation or image is irreparable and such harm cannot be undone.

What’s More Interesting? – The Hospital Could Be Made Liable!

In United States for example, they have a federal law known as the Health Insurance Portability and Accountability Act 1996 made under the administration of Bill Clinton.

Under HIPAA, the hospital would need to adopt certain protective measures in guarding the patients’ electronic medical records failing which they could be made liable for such breach.

In 2008, there was a medical data leakage caused by UCLA’s internal workers who snooped and then sold the medical records of famous artists such as Britney Spears. UCLA paid $865,500 to the federal enforcers.

English Articles

Recent Top 10 Data Breaches – No. 10: EBay

Online Platform   :       Ebay Online Trading Platform

Year                        :       May 2014

Affected Users    :       145 million

Incident                 :       System hacking and leakage of personal data

Internet Hacking

Ebay is well known for its online trading platform, a venue for global willing buyers and sellers to trade via online equipped with payment gateway system.

In May 2014, EBay announced that according to a cyber-attack launched against the said E-Commerce platform, it was estimated that 145 million users’ personal data has been compromised and leaked to 3rd party. The cyber-attack was reportedly initiated by way of internet hacking between late February and early March 2014.

According to EBay, the involved personal data included users’ email addresses, passwords, birth dates and correspondence address. However, EBay insisted that there was no financial information being affected in the cyber-attack.

EBay has advised all users to change their passwords after the event.

So What’s The Issue?

Many do not realise that EBay users’ accounts were actually linked to social media profile such as Facebook account. To be fair it wasn’t EBay, only, but rather majority of forums, websites, E-Commerce platforms allow login service by way of social media account.

Once such E-Commerce online platform users’ accounts were linked to and/or registered by way of social media account, the hackers or whoever that managed to obtain the personal data from EBay are able to perform data profiling.

So What’s Data Profiling?

The connection that linked with for example Facebook account, would expose and reveal the EBay users’ actual name that shown in their respective Facebook profile, and perhaps other data associated.

It essentially means that the hacker would be able to track and trace a virtual EBay user to an actual individual by looking into the data associated or shown in Facebook account.

In the meantime, data profiling is a type of data examination that allows collection and setting of statistics and summary from an existing information source. The collected, compiled and summarised statistics would help to locate, identify and trace a purchasing record, living or spending habit or even detailed profile of one online user.

Let’s take EBay for example. Purchasing data for condom or pregnancy test or even HIV test would benefit or useful to pharmaceutical company or related advertisers.

Another aspect from such data leakage is the investigation of the authority. Imagine that the data or purchasing record on purchasing gun-related accessories would enable one to profile the user as firearm user (could be registered or unregistered user in United States). Such privacy loophole would enable the law enforcers to run a “free” background check especially on unregistered gun users that go dark.

-Please stay tune for the next Recent Top 10 Data Breaches – No. 9-

爱FM法律节目, 中文文章






















是否曾想过,共结连理时那一声“我愿意/I Do”是一项口头合约,具有法律约束力。当然,违约的后果可是不堪入目。当我们在网络世界游览网站或购物时,经常要求网络使用者注册用户户口(user account)以便能继续购物和付款。

问题来了。当网站强制我们注册户口的当儿,会出现要求我们同意并确认网站使用条款(Terms & Conditions),如果不打勾就无法继续购物或游览,实在扫兴。可是同时我们也发现,有些网站并没有强制使用者按“同意”键却可以继续购物或游览,为何会有这样的分别?

一个比较全面的网站必定会有使用条款,使用条款一般上则围绕在免责条款(indemnity),意即若使用者在使用网站购物或依赖网站的资讯后而受到任何损害时,使用者同意网站不会负上任何责任。使用者往往在游览或使用网站时并没有注意到任何使用条款的栏目,又或是我们都往往选择,刻意或不需要去理会这些terms and conditions。可是我们是否有想过这些使用条款其实会是一份具有法律约束力的合约?


  1. 点选同意合约(ClickWrap Agreement),意思是当你按下“同意”键的时候,你已被当作认同和接受该网站的所有使用条款,缔结了一份使用合约;或
  2. 游览同意合约(BrowseWrap Agreement),意思是网站的使用条款说明,虽然你没有按下任何“同意”键(又或没这个“同意”键给你按),不过当你继续游览或使用网站时,透过这样的举动被当作已接受了使用条款,缔结了一份使用合约。


点选同意合约(ClickWrap Agreement



游览同意合约(BrowseWrap Agreement

可想而知,游览同意合约存在许多争议,因为游览同意合约仅仅透过游览和使用网站的被动动作(passive conduct)而认为你已同意使用条款,进而缔结了使用合约,一旦发生任何纠纷时网站将依赖此条款/合约拒绝负上任何责任。

乍看之下游览同意合约的确有偏于网站而非使用者,因为这些使用条款并没有清楚和明显地显示在网页内让使用者知道。有鉴于此,法庭普遍上都会认为这样的缔结方式对使用者不公。通过游览同意缔结的合约,缺少了合理的通知和机会,导致使用者对使用条款完全不知情。站在法律的角度,法律倾向于认同较合理的举动(reasonable act)。



  1. 必须清楚地显示给网站使用者这些使用条款的存在,或在使用者付款之前显示给使用者再看多一遍(记住,这并不是要使用者查阅所有条款);
  2. 让使用者轻易的查阅和游览所有的使用条款;
  3. 提供使用者打印或存档使用条款;
  4. 提供使用者“同意”或“不同意”的选项;以及
  5. 确保使用者在按下“同意”键后该使用条款能让使用者轻易的查询。