Hong Kong’s largest non-hospital medical services provider EC Healthcare shared clients’ personal data among various brands owned by the group, the official privacy watchdog has found.

An EC Healthcare medical centre at Central. File photo: EC Healthcare.

The Office of the Privacy Commissioner for Personal Data (PCPD) released the results of an investigation into EC Healthcare at a press conference on Monday, revealing that the group had shared clients’ full names, transaction details and medical records among its subsidiaries via an integrated customer service system.

The system in question was used by 28 of the 39 brands owned by the group, involving 1.08 million clients.

EC Healthcare did not inform all clients or get their consent before disclosing and transferring their personal information, the PCPD office found. The exact number of clients affected was not identified.

The customer information in question was made available to EC Healthcare’s customer service, cashier, hotline centre and front desk staff via the system.

The Privacy Commissioner for Personal Data Ada Chung said the firm’s practices were “disappointing both from the perspective of compliance with legal requirements or that of respecting clients’ wills.”

Ada Chung (middle), the Privacy Commissioner for Personal Data. Photo: Peter Lee/HKFP.

She said EC Healthcare contravened the requirements under the Personal Data (Privacy) Ordinance. An enforcement order was issued to the group requesting it to stop sharing customer data without consent, as well as provide training and establish clear boundaries for staff who can access the data.

According to Chung, the company has to meet the requirements of the enforcement order within three months or risk a maximum jail term of two years and HK$50,000 fine, with HK$1,000 additional for each day overdue.

Chung said that the current punishments were considered “insufficient.”

“We will work with the government and review the entire privacy ordinance, including its penalties,” she added, without giving a timeframe.

Client complaints

The investigation was launched after two separate complaints were filed to PCPD last June and July, respectively.

In both cases, brands under EC Healthcare obtained the full names of the complainant or their family members without the customers providing such data.

The clients involved had each provided their information to either Primecare Paediatric Wellness Centre or New York Medical Group. The privacy watchdog found that when the two brands were later acquired by EC Healthcare, some of their client data was shared among different companies under the new parent firm using the integrated system.

Ada Chung (right), the Privacy Commissioner for Personal Data. Photo: Peter Lee/HKFP.

EC Healthcare told the watchdog that the system was set up to “provide one-stop medical and healthcare services, improve the quality of customer services, and make answering client enquiries and handling complaints more convenient for frontline staff.”

However, it said that clients’ personal data from other companies was not necessary for the individual operation of the brands involved in the complaints cases.

Chung said she believed that EC Healthcare’s practices were “not common” in the industry but the watchdog would look into similar large healthcare groups.

“We are monitoring online discussions, news highlights or media reports. If we find there is something irregular in the operation of any particular group… we will initiate enquiries proactively without waiting for any complaints,” she added.

Fotomax data ransom

PCPD also released findings from an investigation into Fotomax on Monday. The photo finishing service chain suffered a ransomware attack in October 2021, in which the data of 544,862 registered members and 73,957 other customers of its online store was maliciously encrypted.

A Fotomax branch in Choi Hung MTR Station. File photo: EHALAM BorG 600M, via Wikicommons.

The watchdog said the data hack was made possible by “serious deficiencies.” The company admitted to PCPD that it had learned of a loophole in its firewall in September 2019 but it believed that its existing data security measures were sufficient to fend off related threats and did not install the security patch.

Fotomax also delayed the implementation of multi-factor authentication as urged by the firewall provider, PCPD found.

Chung said the company had contravened the Personal Data (Privacy) Ordinance as it had not taken all practical steps to ensure the protection of personal data. Fotomax was therefore ordered to hire independent experts to carry out regular assessments of its data security.

In addition, Chung said her observations suggested that companies in Hong Kong were aware of the risk of cyberattacks. “I do believe that this is an isolated incident,” she said.

Support HKFP  |  Code of Ethics  |  Error/typo?  |  Contact Us  |  Newsletter  | Transparency & Annual Report

Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit, Hong Kong Free Press is #PressingOn with impartial, award-winning, frontline coverage.

Peter Lee

Peter Lee is a reporter for HKFP. He was previously a freelance journalist at Initium, covering political and court news. He holds a Global Communication bachelor degree from CUHK.