The Personal Information Protection Commission (PIPC) recently pointed out significant privacy risks associated with data scraping methods used on public healthcare institution websites. Scraping involves automated programs collecting large amounts of personal data by using user credentials such as IDs and passwords. This method poses threats like excessive data collection, credential leaks, and unauthorized use of information. As a result, the PIPC emphasized the urgent need to shift to API-based systems that ensure security and reliability.
On June 16, a forum was held at the Gwanghwamun Press Center, attended by the PIPC, Korea Internet & Security Agency, National Health Insurance Service, and Health Insurance Review & Assessment Service. The event focused on discussing countermeasures against scraping and ways to enhance website security. Kim Dong-beom, a specialist from Seoul National University, presented on the current status and risk factors of medical data scraping, comparing domestic and international regulations. Panel discussions included officials from the Ministry of Health and Welfare, National Tax Service, academia, and industry, sharing diverse perspectives. The PIPC is also working on expanding MyData transmission rights and amending the Personal Information Protection Act.
Panelists agreed that scraping is difficult to distinguish from hacking methods like credential stuffing and that mass automated access can disrupt other users’ website experiences. The PIPC stressed the importance of allowing individuals to freely download their own data, verifying the identity of agents, and recording data access history. Plans are underway to improve related systems in collaboration with the National Health Insurance Service and Health Insurance Review & Assessment Service.
Looking ahead, the PIPC will continue to promote secure MyData transmission frameworks and API-based data transfer systems. Ha Seung-chul, head of the MyData Promotion Team, emphasized the necessity of safe data provision methods to foster innovative services. This discussion is expected to advance both personal data protection and the development of innovative healthcare services. With proper institutional and technical improvements, the risk of data breaches can be significantly reduced.
This issue underscores the critical balance between personal data protection and data utilization in the digital healthcare sector. The risks of scraping are not merely technical but directly impact public trust and the quality of public services. Transitioning to secure, API-based data transfer systems will minimize data leakage and serve as a foundation for innovative healthcare solutions. Going forward, legal and institutional reforms, along with user-centered data management, will become increasingly important.