17 Korean hospitals leaked almost 200,000 patient data to pharmas
Photo: Morsa Images/Getty Images
The Personal Information Protection Committee, South Korea's national data protection authority, has probed 17 university hospitals that allegedly allowed nearly 200,000 patient information to get exposed in a leak.
WHAT IT'S ABOUT
The PIPC acted on alleged reports of university hospitals leaking patient information to pharmaceutical companies. The case was later confirmed by the police following a search and seizure operation on the involved pharmaceutical companies.
It was found that hospital staff took pictures or downloaded patient information needed for prescriptions, which were then sent via e-mail or flash drives to pharmaceutical companies.
Based on the investigation, approximately 185,271 patient information, including sensitive ones, was leaked between April 2018 and January 2020. About half came from Yonsei University Severance Hospital (57,912) and St. Mary's Hospitals in Uijeongbu (20,027) and Yeouido (17,115).
All but one of the 17 hospitals were found to have violated the Personal Information Protection Act for failing to ensure the safety of patient information. They were subjected to fines totalling KRW 64.8 million ($50,500).
According to PIPC, for more than two years, 16 hospitals have not kept records of people who have accessed their system. They also have not amply confirmed their reasons for accessing and downloading information.
Of those hospitals, Hallym University Sacred Heart Hospital, Dongtan Sacred Hospital, Kangnam Sacred Hospital and Hangang Sacred Hospital have not kept access records for over three years. These four hospitals, along with Soon Chun Hyang University Hospital Seoul and Konkuk University Chungju Hospital, also did not have security measures in place for exporting and importing data via auxiliary storage devices like hard and flash drives.
Additionally, Kangbuk Samsung Hospital and Korea University Guro Hospital were found to have poor security, allowing unauthorised persons to access data physically.
Aside from getting fines, all 17 hospitals were also told to make the following improvements:
-
Regularly inspect respective personal information processing systems and enforce measures to prevent future data leaks
-
Reinforce regular training for staff involved in protecting personal information
Meanwhile, the South Korean police are still conducting investigations for possible criminal liability of involved hospital and pharmaceutical company staff in the data leak.
THE LARGER TREND
Cybersecurity authorities in South Korea were most recently alarmed by a large-scale data breach at Seoul National University Hospital. According to the hospital, the personal information of over 800,000 people, including patients and hospital employees, has been leaked following an attack on its IT servers between May and June last year. The local police said they have traced the source of the attacks from alleged servers of North Korean hackers.
ON THE RECORD
"Through this investigation, we hope university hospitals are now more aware of their role in protecting patients' highly sensitive personal data. This also serves as an opportunity for them to realise the importance of training staff on managing their personal information protection systems, as well as conducting regular checks of the system to prevent future data leaks from happening," the PIPC said in a statement.