HA denies leaking patients’ data to police to assist arrests

June 18, 2019 15:37
Legislator Pierre Chan said he has received complaints from public hospital staff that police officers had been given backdoor access to the Hospital Authority's patient database. Photo: RTHK News

The Hospital Authority (HA) has denied a legislator's allegation that police could access its computer database containing patients' personal information, stressing that it upholds patient confidentiality.

Dr. Pierre Chan Pui-yin, a lawmaker who represents the medical functional constituency, told a media conference on Monday that he had received complaints from public hospital staff that police officers had been given backdoor access to the HA patient database, the Hong Kong Economic Journal reports.

According to Chan, the complainants said the computers at the accident and emergency service units of the public hospitals where they work have a page specifically designed for police use and officers can obtain patients’ personal data, including their names, ID card numbers, phone numbers, age and the date and time of their treatment with no need to type a password.

The lawmaker said the backdoor was designed by the HA head office, but frontline medical staff only found out about it after several protesters against the extradition bill were arrested following clashes with police last Wednesday.

Officers reportedly showed up at public hospitals later that day and arrested some injured protesters who had been sent there for treatment.

Chan told the press conference that as the doctors and nurses in the accident and emergency departments were trying to find out how the patients had been identified, they accidentally found the backdoor link in their computers.

The HA had allegedly informed its employees earlier that day that if the demonstrators were sent public hospitals, they had to be marked as having been sent from the “mass gathering outside Legco”, Chan added.

He accused the HA of leaking “a large quantity of patient data” and having failed to protect patients’ rights as well as having breached privacy rules.

Chan asked the authority to stop the practice at once and give an explanation to the public, RTHK reported.

In response, the HA told media late Monday night that on June 12 it neither handed over any patient records to the police nor received any requests to provide such data.

The authority said its data system is a closed intranet, and only authorized staff can log on to the system.

While condemning those who spread rumors that could harm doctor-patient relations, the authority promised to investigate whether any staff members were involved in the alleged leakage, adding that it had reported the case to the privacy commissioner.

Police Commissioner Stephen Lo Wai-chung also dismissed Chan’s allegations, saying that, as far as he knows, the computers police are using at public hospitals are not linked with the HA computer system.

Once police stationed at public hospitals have found evidence that a hospital admission case involves a possible crime, they will contact other police officers to follow up the case, Lo said.

Meanwhile, the Office of the Privacy Commissioner for Personal Data said it has launched an investigation based on the HA report.

It reminded law enforcement authorities to specify the purpose and nature of their request for seeking personal information.

– Contact us at [email protected]