University of Hong Kong’s medicine department ‘sorry’ for patient data breach

Laptop containing personal information of more than 3,600 patients believed to have been stolen; police are investigating

PUBLISHED : Sunday, 04 September, 2016, 7:03am
UPDATED : Sunday, 04 September, 2016, 7:03am

Hong Kong’s top medical school has expressed its “deepest apologies” after a laptop computer containing the personal data of more than 3,600 patients was suspected to have been stolen, causing a massive data breach.

A police investigation was under way after the laptop belonging to the University of Hong Kong’s Li Ka Shing Faculty of Medicine went missing from its office at Queen Mary Hospital in Pok Fu Lam on Thursday.

An initial assessment revealed that the personal information of 3,675 patients including their names, Hong Kong identity card and telephone numbers, diagnoses and medication list could have ended up in the wrong hands, although data for 901 of those patients was encrypted. According to a statement by the department, a person can log into the system only by using a registered username and password.

HKU slides from first to third in public opinion poll after political controversies

The department stressed that it would fully support the police investigation, and that measures had been taken to strengthen security. Staff members have also been asked to reset their user passwords, and ensure personal data in electronic storage was well-protected. It did not specify if anyone would face disciplinary action.

The Office of the Privacy Commissioner for Personal Data was also notified of the incident.

This is not the first time that patients’ data has been leaked because of the mishandling of digital equipment.

In February 2014, a pharmacy worker at Queen Elizabeth Hospital lost a non-encrypted USB flash drive containing drug prescriptions, dispensary-related documents as well as identifiable personal data of 92 patients.

The employee only reported the incident three days later, but the hospital considered the public exposure of the sensitive information to be low as the flash drive was believed to have been lost in a restricted area.

This follows a similar incident in August 2013 when the Hong Kong Sanatorium and Hospital, a private institution which caters to the city’s wealthy and the elite, reported that a staff member’s USB flash drive had gone missing, compromising the personal data of 68 patients.