EC Healthcare defends itself against data sharing allegations made by privacy watchdog

share on

twitter /
facebook /
linkedin /
- email
- telegram
- whatsapp
- wechat
- pinterest
- line
- snapchat
- reddit

Hong Kong’s non-hospital medical services provider EC Healthcare has clarified it did not share clients' personal data among its subsidiary brands, after the city's privacy watchdog released the investigation results based on two complaint cases.

According to the investigation report, the Privacy Commissioner for Personal Data Ada Chung found that after acquiring Primecare and NYMG, EC Healthcare stored the personal data of the clients of these two brands in the system, and shared parts of their personal data among the 28 brands of EC Healthcare using the system, so that the relevant personal data were accessible by the frontline staff of various brands.

In the two complaint cases, the personal data originally provided by the complainants to a single brand was disclosed and transferred, without their knowledge, to the staff of some other brands, said the report. Chung found that the move was plainly inconsistent with the original purpose of collection of the complainants’ personal data, and also fell short of their reasonable expectation for personal data privacy.

“After acquiring Primecare and NYMG, EC Healthcare failed to obtain consents from the two complainants to the use, disclosure and transfer of their personal data among the various brands within the group, and never informed them by any means that their personal data would be stored in the system. Such practices were disappointing both from the perspective of compliance with the legal requirements or that of respecting clients’ wills,” Chung added.

The Privacy Commissioner considered that the two complaint cases reveal that in undertaking mergers and acquisitions for market consolidation, and in collating clients’ personal data of its various brands through an integrated system, EC Healthcare disregarded the requirements under the PDPO on the use of personal data and failed to properly consider how the operation of the system may affect its clients’ personal data privacy.

Chung has served an enforcement notice on EC Healthcare, directing it to remedy and prevent recurrence of the relevant contraventions.

Soon after the release of the report, EC Healthcare has made a statement claiming that it did not share customers' data among its frontline staff of all brands within the group. The group set limitations to access of data based on employees' job remit and their needs of serving customers such as handling complaints, amendments of appointments and service inquiries.

"Even if multiple brands of the group are using the same digital technology platform, the group will never allow each brand to view, transfer and use relevant customer medical records, diagnostic records and medical reports without customers' consent," the statement read.

Upon the internal investigation of the group, the company said it did not involve data security issues such as third-party leakage. The group is still waiting for further information from the authorities to review the relevant cases and improve the implementation of relevant employee regulations and system design.

Related articles:

PCPD arrests man for disclosing personal data on social platform
PCPD makes arrest for a suspected doxxing offence
PCPD Study: Social media users should be wary of privacy policies and settings

share on