Computerworld Hong Kong reports that a pharmacy staff member at Hong Kong’s Queen Elizabeth Hospital (QEH) lost a USB drive containing 92 patients’ personal data on February 18, 2014, but didn’t report the loss to management until three days later, on the 21st (h/t PHIprivacy.net).
The drive was unencrypted, and didn’t have password protection in place.
When the staff member finally reported the loss of the drive, more than 100 pharmacy employees were contacted as part of a search, but the drive wasn’t found.
According to the hospital, the drive held the patients’ personal data, information on drug prescriptions, and documents related to drug dispensing.
“We believe that the USB flash drive is misplaced in the restricted area of the [pharmacy] department,” a hospital spokesperson told Computerworld Hong Kong. “We consider the risk of exposing patient data to the public to be low.”
The loss has been reported to Hong Kong’s Hospital Authority (HA), the Hong Kong Police and the Office of the Privacy Commissioner for Personal Data.
“QEH is currently contacting all concerned patients or their families to inform them of the incident and to express apologies. … The hospital is very concerned about the incident, and will conduct an in-depth investigation as well as follow-up in accordance with HA’s Human Resources policy,” the hospital said in a statement [PDF]
Get the Free Cybersecurity Newsletter
Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices.