Expert panel to investigate leaks
The Hospital Authority has set up a four-member expert panel to investigate data leaks from public hospitals after the loss of more electronic devices containing data of almost 6,000 patients was reported yesterday.
Calls for the authority and government departments to improve handling of data came in from all sides after the latest revelation by authority chief executive Shane Solomon.
Mr Solomon said nine cases of missing electronic devices had been reported by staff between April 1 last year and April 25 this year - seven thefts and two 'human errors'. Yesterday's statement was the first revelation of seven of the nine cases.
Privacy Commissioner Roderick Woo Bun said yesterday he was shocked and disappointed that the authority did not contact his office over the new cases. 'Due to the seriousness of the case, the commissioner has decided to write to Hospital Authority chief executive Shane Solomon, asking them to offer more detailed information so that appropriate action can be taken to prevent the occurrence of similar incidents,' a spokesman for the office said.
Mr Solomon said eight of the losses had been reported to police and the other would be reported when details had been confirmed.
The lost devices included four USB flash drives and other devices including a laptop computer, an MP3 player and a digital camera. They contained data on 5,988 patients from five public hospitals, about half of them involving identifiable personal particulars such as identity card numbers. Mr Solomon said 961 sets of data containing identifiable personal information were not protected by passwords.
'In these cases, the staff have legitimate use of the data,' he said. 'The problem is about the security of the devices. Clinicians have to download information, you cannot avoid that. And we cannot lock everything up. It is fortunate that there is no sign that the lost data has been misused.'
The authority would consider allowing downloads to only authorised USB devices, he said.
The taskforce, headed by former privacy commissioner for personal data Stephen Lau Ka-men, would take three months to produce a report to the authority, Mr Solomon said. It would make recommendations on ways to prevent thefts and how to make data inaccessible to others in case of theft, and would look at whether there were grounds for any staff to be punished.
The staff involved had reported the cases to the authority immediately after the incidents but it took time to sort out which reports were important for patients and then take follow-up action, Mr Solomon said.
Frontline Doctors' Union chairman Ernie Lo Chi-fung said the authority should handle the reported cases as quickly as possible. 'There is no problem with the current reporting system, but the Hospital Authority should promptly investigate the cases soon after they've got such reports,' he said.
Taskforce member Charles Mok, chairman of the Internet Society, said work had to be done to improve patient data protection. 'Guidelines should be given to workers on the security level of different kinds of information they handle, what hardware can be used and whether encryption should be added.'
The legislator for the information technology sector, Sin Chung-kai, said the government should overhaul its policy on civil servants' use of USB flash drives. 'Obviously there is something wrong in the system. It is not limited to the Department of Health and the Hospital Authority.'
Last week, the Civil Service Bureau admitted the Secretariat on Civil Service Discipline had lost a USB flash drive that contained details of civil servants' misconduct cases.
'If private data is stored in these removable drives, people should make sure they are encrypted and that a password is needed to read the data inside,' Mr Sin said.
Secretary for Food and Health York Chow Yat-ngok said medical staff should not save patients' data in their own memory cards.