Read More
A Queen Mary Hospital operating room manager sent personal information of 130 patients to 20 employees of the public hospital and the University of Hong Kong despite they have little to do with their treatments.
ADVERTISEMENT
SCROLL TO CONTINUE WITH CONTENT
The patients’ information sent to the recipients through an email included their names, ID card numbers, medical records between 2017 to 2021, and the name of their operations.
A staff member of the public hospital told the media that the email was about the operation arrangement of another two patients and included their names, as well as the scheduled date and time of their operations.
However, the information of 130 patients who once used the same operating room was also attached to the email and it was accessible for all recipients.
The employee said the information of 130 patients was old records and it did not have to be included in the email for the upcoming operation arrangements.
He also said the email was not encrypted and there is a risk of the leak of information.
“The patients all have a case number at the hospital, why did [the operating room manager] provide the patients’ ID number for those email recipients,” the staff said.
The staff said that the personal data of patients were rarely passed on through email, and the email would only include the data of one or two patients at most. But the incident this time involved as many as 130 patients and the data was sent to doctors at different departments, he added.
“Some patients did not see doctors at certain departments at all, then why should doctors at those departments receive their information?” he said.
In responding to media inquiries, the Queen Mary Hospital stressed the patients’ information was not leaked, instead, all recipients of the email needed to know about the information related to the operating room.
It added that the hospital believes the internal email was not sent to outsiders and apologized to the public for the panic and concerns caused by this incident.
The hospital said the operating room manager did not encrypt the document with patients’ information because the email was for internal reference only. It has reminded all staff members to be careful when handling patients’ information and encrypt their personal data if needed, the hospital said.
The Office of the Privacy Commissioner for Personal Data said it has received complaints about the incident and is following the case. But it refused to comment on individual cases.
File Photo.
