Case of suspected unauthorised access to eHRSS detected
Upon receiving an application in mid-December 2018 for a new token for access to the eHRSS by a doctor who already had a user account, the RO carried out follow-up checks and found 11 instances of suspected unauthorised access to the health data of seven patients in the eHRSS between June and November 2018 at the JP Partners Medical (JP) clinic in East Point City, Tseung Kwan O.
These instances of access were believed to have been made by two staff of the clinic by using the account and token of the above-mentioned doctor who had left the clinic. It has yet to be established that the staff concerned were authorised to access the relevant data.
The Electronic Health Record Sharing System Ordinance (Cap 625) imposes responsibilities on healthcare providers for access to and use of patient data only with patients' sharing consent, and ensuring access to health data is restricted to healthcare professionals for providing healthcare. A Code of Practice is also in place, reminding healthcare providers on how to properly handle patient registration with the eHRSS, management of user accounts and their clinical records, and ensuring system security.
In the light of the findings, the RO has contacted the seven patients concerned. The Food and Health Bureau has referred the case to the Police to consider if further investigation is warranted and informed the Office of the Privacy Commissioner for Personal Data. So far, there is no indication that security and data integrity of the eHRSS have been compromised.
The RO will invite the healthcare provider involved to review its data and account management system and to satisfy the Commissioner for the Electronic Health Record that arrangements are in place to ensure full adherence to the requirements under the Ordinance and the Code, failing which cancellation of registration as an eHRSS healthcare provider may have to be considered.
For enquiries on the eHRSS, members of the public may contact the RO at 3467 6300 during office hours. The clinic concerned has doctors that participate in the Hospital Authority (HA) General Outpatient Clinic Public-Private Partnership Programme and the Department of Health (DH) Colorectal Cancer Screening Programme, which use the eHRSS for sharing patient health data. JP patients who are on these programmes may contact the HA and the DH at 2300 7300 and 3565 6288 respectively during office hours if they have any enquiries.
Ends/Tuesday, April 16, 2019
Issued at HKT 12:09
Issued at HKT 12:09