Hong Kong privacy watchdog finds healthcare chain shared database with personal details of over 1 million customers among its companies
- Probe launched after EC Healthcare shared personal data of clients among four of its brands, watchdog says
- Office also issues enforcement notice to Fotomax, following ransomware attack on the photo printing chain database
A healthcare chain in Hong Kong has shared a database containing the personal information of more than a million customers among several of its member companies without their consent, the privacy watchdog has found, although the business insists strict limits on access were set.
The Office of the Privacy Commissioner for Personal Data on Monday also issued an enforcement notice to Fotomax, following a ransomware attack on the photo printing chain database that involved more than 500,000 customers.
In response to the individual cases highlighted in the privacy watchdog’s report, EC Healthcare clarified that no data security issues such as leakage by third parties were involved after an internal investigation.
The watchdog launched its investigation into EC Healthcare after receiving two complaints involving four of the member companies. The office said 28 of 39 brands under the healthcare company, including paediatric wellness centre Primecare and cosmetic surgery provider Dr Reborn, had adopted an integrated internal database, which involved the data of about 1.08 million customers.
“Such practices are disappointing both from the perspective of compliance with the legal requirements and that of respecting clients’ will,” privacy commissioner for personal data Ada Chung Lai-ling said.