The Danish Data Protection Agency (Datatilsynet) said on Wednesday that the CPR numbers of 5,282,616 people were mistakenly delivered to the Chinese Visa Application Centre, a Copenhagen-based Chinese company.
A package sent by the Danish State Serum Institute (SSI) to Statistics Denmark in February 2015 contained two CDs with the CPR number and health information of over 5 million residents who lived in Denmark between 2010 and 2012. The package, sent by registered mail, was “delivered to the Chinese Visa Application Centre” by mistake, Datatilsynet wrote.
When the letter later made its way to Statistics Denmark, the data agency said that it had been opened.
“The CDs contained information on personal [ID] numbers and health information, but not names or addresses. The CDs were not encrypted,” Datatilsynet wrote.
The data agency criticized SSI for sending unencrypted personal information through the post.
In a response to the data agency, SSI acknowledged that “we are talking about sensitive personal data of a very extensive character and it cannot be ruled out that it could have had concrete consequences for the affected individuals if the information had actually reached unauthorized individuals”.
SSI said however that it was of the “perception” that the information “neither reached other people nor was seen by other people”.
It said that it was contacted by an employee of the Chinese Visa Application Centre who said she opened the letter addressed to Statistics Denmark “by mistake” but then delivered the package to the statistics agency.
SSI said it “has not found reason to doubt” the employee’s story.
When contacted by Danish news agency Ritzau on Wednesday, SSI referred questions to the health information agency Sundhedsdatastyrelsen, which could not be contacted because it is closed for summer holiday.