HONG KONG, 14 APRIL 2009 An independent panel is investigating after a United Christian Hospital Obstetrics & Gynaecology Department doctor lost a personal USB flash drive containing eight patient data records.
The device has four scanned images of a fetal heart tracing record with one patient's name and identity, and a Powerpoint presentation file with seven patients' names, identity numbers and case summaries for internal clinical discussion.
Drive not encrypted
The drive was not encrypted or password-protected. No patient's personal contact information is included and the relevant data was not exported or downloaded from the Hospital Authority's clinical management system.
The case was reported to the hospital and the police yesterday, and the Office of the Privacy Commissioner for Personal Data was also informed.
Guidelines not complied
Patient names and identity numbers are not required for clinical discussion, so an initial probe showed the doctor has not complied with data-security guidelines. The hospital will take proper disciplinary action if human error is identified.
The hospital has so far informed five of the patients and offered a sincere apology. It will continue to contact the remaining patients. It has not received any enquiries or reports related to the patients' data.
Expressing concern, Gabriel Leung, acting secretary for food and health of the Hong Kong government, has asked the authority to look into the incident and ensure patients' data and privacy are effectively protected.
Sign up for Computerworld eNewsletters.