HA sets up Task Force on Patient Data Security and Privacy
**********************************************************

The following is issued on behalf of the Hospital Authority:

    The Chief Executive of the Hospital Authority (HA), Mr Shane Solomon, today (May 5) announced the appointment of a Task Force on Patient Data Security and Privacy with the objectives of enhancing system security and patient data protection, following cases of loss of electronic devices containing patient data.

    Mr Solomon said that from the record of the Advanced Incident Reporting System (AIRS), there were nine reported cases on data loss via electronic devices in the past 12 months up to end April.

    Among them, eight cases had been reported to the police and seven cases were theft-related.  These data loss cases happened at Pamela Youde Nethersole Eastern Hospital (four cases), Kowloon Hospital (two cases), Queen Mary Hospital (one case), Tuen Mun Hospital (one case) and United Christian Hospital (one case).

    The lost electronic devices included four USB memory sticks, one palm handheld device, one MP3 player, one Central Processing Unit, one laptop computer and one digital camera.

    ¡§While a total of 5,988 patients were involved, 3,117 of the losses did not involve any personal particulars.¡¨

    Of the remaining 2,871 patient data items, 961 (33%) were not password protected.

    The data lost were mainly collected manually.  Patients involved in four reported cases had been contacted.  Hospitals will continue to contact concerned patients if needed.  There have not been any reported cases of patient data leakage so far. (Case details are included in the attachment.)

    Membership of the Task Force on Patient Data Security and Privacy is as follows:

Chairman: Mr Stephen Lau, former Privacy Commissioner for Personal Data
Members:  Mr Charles Mok, HA Board member
          Mr Sunny Lee, President of Hong Kong Computer Society
          Dr Chong Lap-chuen, Chairman of HA Clinical Data Policy Group

    The terms of reference of the task force are as follows:

1.  Review the clinical and operational requirements for exporting of clinical data in the HA

2.  Assess the mechanisms that are currently in place to protect the security and privacy of identifiable patient data.  Mechanisms to be examined include:
-  policies and guidelines
-  education and promulgation efforts
-  system design and technical features
-  incident reporting and handling measures

3.  Suggest improvements to these mechanisms to enhance patient data security and privacy in the HA.

    The task force will complete its work and submit a report to the HA Chief Executive in three months¡¦ time.

Ends/Monday, May 5, 2008
Issued at HKT 17:43

NNNN