Two doctors at a Hong Kong public hospital were arrested on charges of accessing computers with dishonest or criminal intent, allegedly involved in a data leak. According to police superintendent Wong Yick-lung, a 57-year-old consultant and a 35-year-old associate consultant from Tseung Kwan O Hospital were arrested in Ho Man Tin and Fo Tan, respectively.
Officers seized computers and other records; the pair is in police custody. On Sunday, the hospital stated the alleged leak, but the exact details were not disclosed at that time. The hospital’s chief executive, Dr. Kenny Yuen Ka-ye, said that the data of a few patients had been given to a third party. An internal complaint a month ago prompted the investigation.
According to Dr Ka-ye, the hospital found at least one doctor who accessed the patient’s personal data without permission. The hospital believes the documents containing information about other patients might have also been exposed to the third party. Police said experts are working to find out more details concerning the number of patients impacted by the incident.
While the investigation is ongoing, the consultant Dr has given his resignation, while the associate consultant has been suspended. At the time of writing this story, the motivation behind the attack is not known. According to Yuen, every doctor has access to the clinical management system that has patient information, but the use is only permitted under a strict “need-to-know” for research purposes or as part of the medical team taking care of a patient.
The investigation revealed that the two doctors didn’t fit into either category, which was a violation. According to SCMP’s conversation with a source, the portal reported that the two doctors (both members of the surgery department) sent details of a female pancreatic cancer patient who died after a surgical operation.
The pair illegally accessed the info and sent it to the family, asking them to file a complaint against the doctor who did the operation. This was done to show the doctor’s alleged incompetence.
The hospital has sent the case to the Office of the Privacy Commissioner for Personal Data, and has also reported the incident to the police and the Medical Council.
