Skip to content

Media Statements

Media Statement - Privacy Commissioners Office Publishes Two Investigation Reports

Date: 14 November 2022

Privacy Commissioner’s Office Publishes Two Investigation Reports

The Office of the Privacy Commissioner for Personal Data (PCPD) published two investigation reports today, namely (1) EC Healthcare’s Sharing of Clients’ Personal Data among its Various Brands through an Integrated System and (2) Ransomware Attack on the Database of Fotomax (F.E.) Limited (Fotomax).
 
1.      Investigation Report: EC Healthcare’s Sharing of Clients’ Personal Data among its Various Brands through an Integrated System
 
On completion of its investigation into EC Healthcare’s sharing of clients’ personal data among its various brands through an integrated system (the System), the PCPD published an investigation report today. The investigation arose from two complaint cases received by the PCPD, involving four brands under EC Healthcare (Please refer to the Annex for details of the complaint cases):
 
  • Primecare Paediatric Wellness Centre (Primecare) and Dr Reborn: the complainant took her daughter to consult a doctor of Primecare. She was later told by Dr Reborn that after the said doctor joined Dr Reborn, the personal data of his clients (including the complainant’s daughter) was transferred to Dr Reborn; and
  • New York Medical Group (NYMG) and re:HEALTH: the complainant contacted re:HEALTH to follow up a complaint lodged by a member of his family against re:HEALTH. When re:HEALTH replied to the complainant, it accessed and used the personal data provided by the complainant to NYMG when he received treatment there.
 
After conducting investigations into the above cases, the Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, finds that after acquiring Primecare and NYMG, EC Healthcare stored the personal data of the clients of these two brands (including those of the two complainants) in the System, and shared parts of their personal data among the 28 brands of EC Healthcare using the System, so that the relevant personal data were accessible by the frontline staff of various brands. In the two complaint cases, the personal data originally provided by the complainants to a single brand was disclosed and transferred, without their knowledge, to the staff of some other brands. The Privacy Commissioner finds that the above arrangement was plainly inconsistent with the original purpose of collection of the complainants’ personal data, and also fell short of their reasonable expectation for personal data privacy.
 
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, remarked, “After acquiring Primecare and NYMG, EC Healthcare failed to obtain consents from the two complainants to the use, disclosure and transfer of their personal data among the various brands within the group, and never informed them by any means that their personal data would be stored in the System. Such practices were disappointing both from the perspective of compliance with the legal requirements or that of respecting clients’ wills.”
 
In the circumstances, the Privacy Commissioner is of the opinion that EC Healthcare has contravened the requirements of Data Protection Principle (DPP) 3(1) in Schedule 1 to the Personal Data (Privacy) Ordinance (PDPO) on the use (including disclosure and transfer) of personal data.
 
The Privacy Commissioner considers that the two complaint cases reveal that in undertaking mergers and acquisitions for market consolidation, and in collating clients’ personal data of its various brands through an integrated system, EC Healthcare disregarded the requirements under the PDPO on the use (including disclosure and transfer) of personal data and failed to properly consider how the operation of the System may affect its clients’ personal data privacy. The Privacy Commissioner expresses regret at the above shortcomings.
 
The Privacy Commissioner has served an Enforcement Notice on EC Healthcare, directing it to remedy and prevent recurrence of the relevant contraventions.
 
Through the report, the Privacy Commissioner would also like to make six recommendations to other organisations which operate multiple brands. Such organisations are recommended to: -
 
  • Provide clients with clear and concise Personal Information Collection Statement to facilitate their understanding of the purpose of data collection and the classes of transferees to whom the data may be transferred;
  • Consents must be obtained from customers before using (including disclosing and transferring) their personal data for a new purpose;
  • Appropriately assign staff’s rights of access to and retrieval of clients’ personal data, by taking into account the scope of business and staff authority;
  • Carry out a Privacy Impact Assessment before the implementation of any plans that involve the handling of a considerable amount of personal data, and adopt adequate measures to address the identified impacts and risks for the protection of personal data privacy;
  • Implement a Personal Data Privacy Management Programme to include the protection of personal data privacy as part of their governance responsibilities; and
  • Appoint Data Protection Officer(s) to ensure the organisation’s compliance with the requirements under the PDPO and implementation of a Privacy Management Programme, with a view to developing a culture of respecting personal data privacy.
 
Download the Executive Summary of “Investigation Report: EC Healthcare’s Sharing of Clients’ Personal Data among its Various Brands through an Integrated System”: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r22_13928_e.pdf
 
2.      Investigation Report: Ransomware Attack on the Database of Fotomax
 
With the exponential growth of digitalisation, cyberattacks have become one of the major risks for most businesses. Regardless of their sizes, organisations may come under attack from threat actors at any time. 
 
On completion of its investigation into an incident which involved a ransomware attack on Fotomax’s database, the PCPD published an investigation report today. The investigation arose from a data breach notification lodged by Fotomax with the PCPD on 1 November 2021, which reported that the database of its online store (the Database) had been attacked by ransomware and maliciously encrypted on 26 October 2021. A total of 544,862 members and 73,957 customers who had ordered products and/or accepted services from its online store between 16 November 2020 and 26 October 2021 were affected in the incident.
 
From the evidence collected in the investigation, the Privacy Commissioner finds that Fotomax had the following serious deficiencies which contributed to the avoidable exploitation of a vulnerability and access to personal data in the Database by the hacker:
 
  • Misevaluation of security vulnerability risk;
  • Deficiencies in information system management; and
  • Procrastinated implementation of multi-factor authentication.
 
In the present case, the Privacy Commissioner finds that Fotomax had serious deficiencies in risk awareness and personal data security measures which led to the ransomware attack on the Database. The Privacy Commissioner considers that Fotomax had not taken all practicable steps to ensure that the personal data involved was protected from unauthorised or accidental access, processing, erasure, loss or use, thereby contravening DPP 4(1) concerning the security of personal data under the PDPO. The Privacy Commissioner has issued an Enforcement Notice to Fotomax, directing Fotomax to remedy and prevent recurrence of the contravention.
 
Through the report, the Privacy Commissioner also wishes to remind organisations that handle customers’ personal data to pay particular attention to the following areas:
 
  • Stay vigilant to prevent hacker attacks by conducting regular risk assessments to review the potential impact of hacking on their systems;
  • Establish a Personal Data Privacy Management Programme to handle personal data in compliance with the PDPO, and to effectively handle personal data in its entire lifecycle;
  • Appoint a designated officer as Data Protection Officer to monitor compliance with the PDPO;
  • Enhance information systems management, including developing effective patch management procedures to patch security vulnerabilities as early as possible; and
  • Maintain proper documentation of internal communications for reference in future reviews.
 
Download “Investigation Report: Ransomware Attack on the Database of Fotomax (F.E.) Limited”: https://www.pcpd.org.hk/english/enforcement/commissioners_findings/files/r22_18947_e.pdf   
 

The Privacy Commissioner, Ms Ada CHUNG Lai-ling (centre), Chief Personal Data Officer (Complaints), Ms Amy CHAN Mei-yee (left), and Acting Chief Personal Data Officer (Compliance & Enquiries), Mr Brad KWOK Ching-hei (right), elaborated on the two investigation reports.


The Privacy Commissioner, Ms Ada CHUNG Lai-ling, made six recommendations to organisations through the investigation report on EC Healthcare.
 
-End-


Annex
 
EC Healthcare’s Sharing of Clients’ Personal Data among its Various Brands through an Integrated System
Particulars of the Complaint Cases and Investigation Results
 
Investigation Case (1)
 
According to the complainant, she accompanied her daughter to a Primecare clinic for medical consultation and provided the phone number of the grandmother of her daughter for contact purpose. Two years later, the grandmother received a text message from Dr Reborn. While the grandmother was a customer of Dr Reborn, she was at a loss on why the message included her granddaughter’s name. Upon inquiries by the grandmother, the staff of Dr Reborn stated that since the relevant doctor of Primecare subsequently joined Dr Reborn, the personal data of his clients had also been transferred to Dr Reborn.
 
Investigation Case (2)
 
The complainant once received treatment at NYMG and he provided his personal data to NYMG. Five years later, the complainant contacted re:HEALTH by phone to follow up on a complaint lodged by a member of his family, during which he provided his surname and phone number for contact purpose. Thereafter, a staff of re:HEALTH called back the complainant and addressed him by his full name. The staff explained that since the complainant had previously patronised NYMG, which was also owned by EC Healthcare, the staff, who could access the database of all clients of EC Healthcare, was able to access the complainant’s full name and the date he visited NYMG in the past.
 
Investigation Results of the Two Cases
 
According to the information obtained during the investigation conducted by the PCPD, EC Healthcare owned 39 brands relating to a variety of services, including general outpatient care, specialist outpatient care, dental care and aesthetic medical care. 28 out of 39 brands owned by EC Healthcare adopted the System, which involved the data of approximately 1.08 million members.
 
The PCPD’s investigation revealed that the System was developed by EC Healthcare for enhancing customer service by facilitating frontline staff to provide one-stop and holistic medical and healthcare services, and respond to customers’ inquiries and handle complaints. 
 
After acquiring Primecare and NYMG, EC Healthcare stored the personal data of the clients of these two brands (including those of the two complainants) in the System, and shared parts of their personal data among the 28 brands of EC Healthcare using the System, so that the relevant personal data were accessible by the frontline staff of various brands. In the two complaint cases, the personal data originally provided by the complainants to a single brand was disclosed and transferred, without their knowledge, to the staff of some other brands. The Privacy Commissioner finds that the above arrangement was plainly inconsistent with the original purpose of collection of the complainants’ personal data, and also fell short of their reasonable expectation for personal data privacy.
 
In addition, after acquiring Primecare and NYMG, EC Healthcare failed to obtain consents from the two complainants to such use, disclosure and transfer of their personal data among its various brands within the group, and never informed them by any means that their personal data would be stored in the System. Such practices were disappointing both from the perspective of compliance with the legal requirements or that of respecting clients’ wills.
 
In the circumstances, the Privacy Commissioner is of the opinion that EC Healthcare has contravened the requirements of DPP 3(1) in Schedule 1 to the PDPO on the use (including disclosure and transfer) of personal data.
 
The Privacy Commissioner is of the view that, as an established listed company, EC Healthcare should possess adequate resources and capabilities to formulate comprehensive policies and operation plans (such as carrying out a Privacy Impact Assessment for the System) so as to ensure that the design of the System, and the policies and practices of sharing clients’ personal data are in compliance with the requirements under the PDPO. However, the two complaint cases reveal that in undertaking mergers and acquisitions for market consolidation, and in collating clients’ personal data of its various brands through the System, EC Healthcare disregarded the requirements under the PDPO on the use (including disclosure and transfer) of personal data and failed to properly consider how the operation of the System may affect its clients’ personal data privacy. The Privacy Commissioner expresses regret at the above shortcomings.