DH follows up seriously on case of suspected unauthorised access to medical records
***********************************************************************************
The DH earlier received an enquiry from a member of the public referred by the Electronic Health Record Registration Office, who was concerned about the reason for receiving an SMS notification about his electronic health records (eHRs) being accessed by the DH healthcare officer despite his not having used the DH's services recently. The DH immediately initiated an investigation and preliminarily discovered that a DHO under non-civil service terms had repeatedly accessed the medical records of individuals without their consent through the clinical information management system of the school dental clinic and eHealth, involving 16 individuals who were not the DHO's patients. The DHO concerned claimed that the 16 individuals were known to the DHO.
The DH has reported the case to the Office of the Privacy Commissioner for Personal Data, the Commissioner for Electronic Health Record and the Dental Council of Hong Kong, and has notified the affected individuals. The Dental House Officer concerned has been suspended from duty.
According to the Dentists Registration Ordinance (Cap. 156), local dental graduates are required to undergo an internship before obtaining full registration in Hong Kong. The introduction of the internship aims to strengthen the clinical experience of local dental graduates in real-life settings, through which they will become familiar with the dental practice in Hong Kong and hone their communication skills with patients. This ensures that, in addition to mastering professional knowledge, they also develop sound practical skills and a professional attitude, enabling them to exercise clinical judgements in different situations and meet the demands of the dental practice effectively.
During the two-week orientation programme for the DHOs, the DH has clearly explained the professional conduct and code of practice to which they must strictly adhere. Additionally, the regular professional development programmes organised by the Faculty of Dentistry of the University of Hong Kong (HKU) for the DHOs during the internship have covered the professional responsibility and ethical conduct a dentist should possess, as well as the relevant provisions of legislation on safeguarding patients' personal information. In response to this incident, the Faculty of Dentistry of the HKU will strengthen the training of the dental students and dental interns on the aspects of information technology (IT) security.
To prevent similar incidents from reoccurring, the DH will review and optimise the existing internal system security measures. All staff and healthcare personnel have been reminded to strictly observe the DH's internal guidelines on IT security and the use of eHealth by healthcare personnel to ensure that they fully understand the importance of safeguarding patients' personal information.
According to the DH's stipulated internal guidelines, healthcare personnel must pay attention to protecting patients' privacy and comply with relevant laws and regulations, including the Electronic Health System Ordinance (Cap 625). At the same time, healthcare personnel must obtain consent from the patients and adhere to the principles of "Need to Know" and "Patient Under Care" when accessing patients' medical records through any of the DH's clinical information management systems and eHealth. The relevant guidelines are consistent with the Code of Practice promulgated by the eHealth. Healthcare personnel are required to carefully review these internal guidelines before applying for an eHealth account and to sign the application form confirming their understanding and commitment to comply with the relevant requirements. In addition, all the electronic health records accessed through eHealth are tracked for verification to prevent abuse.
The DH has attached great importance to the conduct and integrity of its staff (including contract staff) and has an established mechanism to regulate staff conduct and discipline. If an employee is suspected of misconduct, the DH will conduct a thorough investigation and handle all cases impartially.
Ends/Wednesday, January 28, 2026
Issued at HKT 18:30
Issued at HKT 18:30
NNNN