United Christian Hospital’s loss of patients’ data

1.   The Privacy Commissioner for Personal Data (“the Commissioner”) Mr. Roderick B. Woo expressed great disappointment when he learned of the loss of a USB flash drive containing personal data of a number of United Christian Hospital (“UCH”) patients..

2.    It was not so long ago that he had published a report of his Office’s investigation into the loss of a USB flash drive containing patients’ personal data by a nurse of the same hospital.

3.    No enforcement notice was served by the Commissioner following the conclusion of that investigation because he was satisfied that all reasonably practicable remedial steps had been taken by that hospital which effectively stopped its staff from using USB to store and transmit patients’ data.  The Chief Executive of the Hospital Authority (“HA”) had also directed that no member of the HA staff was allowed to take USB containing patients’ personal data away from the precinct of any hospital without his written approval.  All HA staff had been told to safeguard devices containing patients’ personal data and to use encryption and password protection in all the files containing such data.

4.   The Commissioner yesterday wrote to the Chief Executive of the HA personally as he knew that Mr. Shane Solomon would be equally concerned about this incident.  Mr. Woo would urge the HA to conduct a review to check whether the existing protection measures are strictly observed by all its staff.  He himself will determine, in the light of the information he is now in the process of collecting, whether a formal investigation should be carried out in respect of this latest incident.


END