Technorati Tag: Security Breach

Date Reported:
4/25/08

Organization:
People's Republic of China

Contractor/Consultant/Branch:
The Government of Hong Kong Special Administrative Region of the People's Republic of China
Department of Health
Child Assessment Service (Tuen Mun Centre)

Victims:
Adolescent patients

Number Affected:
700

Types of Data:
"detailed records of interviews with troubled youngsters including assessments and, in some cases, their photos, identity card numbers and addresses"

Breach Description:
"The Department of Health ( DH ) is working closely with the police in the investigation of a suspected theft case involving a removable electronic storage device ( USB flash drive ) containing patients’ information."

Reference URL:
Media Newswire
Monsters & Critics
Health & Community News

Report Credit:
Hong Kong Department of Health

Response:
From the online sources cited above:

Hong Kong - Medical data on almost 700 Hong Kong children and teenagers with social and developmental problems have been lost, the territory's government admitted Friday.
[Evan] This is the first breach that we have reported on The Breach Blog concerning information lost in Hong Kong.  Want to know Hong Kong's laws and practices concerning personal information?  Check out the Office of the Privacy Commissioner web site.  I was impressed with what I saw.

The records were held on a memory card which was stolen from an unlocked room at a Child Assessment Centre in the city's Tuen Mun district
[Evan] I DO know that storing confidential information on a memory card (USB drive, flash drive, etc.) without encryption is a bad. bad idea.

The USB flash drive, which contained medical reports and referral letters of about 700 named patients, was found to be missing at the Child Assessment Centre ( CAC ) in Tuen Mun on April 18. Attempts to locate the device failed and the incident was reported to the Police on April 22.

The lost data included detailed records of interviews with troubled youngsters including assessments and, in some cases, their photos, identity card numbers and addresses.
[Evan] Is a Hong Kong identity card at all comparable to a Social Security card?

Hong Kong's Deputy Director of Health Gloria Tam apologized to the families affected and said they should contact police if anyone suspicious approached them with their personal details.

The Department of Health ( DH ) is working closely with the police in the investigation

The department has sent letters to parents of the involved patients to inform them of the situation and the Privacy Commissioner of Personal Data has also been notified.
[Evan] Here is the Commisioner's office "Response to the loss of medical data by Department of Health".

As the case involved personal privacy, the affected families should remain alert and report to the police if they were approached by suspicious people with their personal data, she said.

'We have reminded our staff about the absolute importance of office security and to strictly adhere to the government's security regulations,' she said in a statement.

With immediate effect, staff have been asked to keep storage of identifiable patient information in removable electronic devices to a minimum essential for the efficient conduct of business. The information should be encrypted.
[Evan] Not "should be encrypted", MUST be encrypted.

These should not be removed from the specific office/clinic unless with prior approval from the respective service heads.

A government hotline has been set up to deal with calls from youngsters and family members concerned over the loss of the data, she added.

There is a Department of Health hotline ( 2125 1133 ) for enquiries.  The hotline will operate until 9pm today, from 9am to 1pm tomorrow and Sunday and from 9am to 5pm during weekdays from next Monday.

Dr Tam said the concerned doctor's case may be dealt with under civil-service regulations after the investigation is completed.
[Evan] I fear what this could mean.

Commentary:
The response from the Privacy Commissioner for Personal Data sums it up pretty well.  Section 4 made good sense:

"The Privacy Commissioner for Personal Data Mr. Roderick B Woo takes the opportunity to remind both the public and private sectors to exercise particular caution when handling personal data.  Stringent handling procedure and sufficient security safeguards should be implemented.  In particular, when sensitive personal data are stored or transmitted by electronic means, the data shall be encrypted."

Past Breaches:
Unknown