Lost USB Drive Exposes Hong Kong Hospital Patients’ Data

Published

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Computerworld Hong Kong reports that a pharmacy staff member at Hong Kong’s Queen Elizabeth Hospital (QEH) lost a USB drive containing 92 patients’ personal data on February 18, 2014, but didn’t report the loss to management until three days later, on the 21st (h/t PHIprivacy.net).

The drive was unencrypted, and didn’t have password protection in place.

When the staff member finally reported the loss of the drive, more than 100 pharmacy employees were contacted as part of a search, but the drive wasn’t found.

According to the hospital, the drive held the patients’ personal data, information on drug prescriptions, and documents related to drug dispensing.

“We believe that the USB flash drive is misplaced in the restricted area of the [pharmacy] department,” a hospital spokesperson told Computerworld Hong Kong. “We consider the risk of exposing patient data to the public to be low.”

The loss has been reported to Hong Kong’s Hospital Authority (HA), the Hong Kong Police and the Office of the Privacy Commissioner for Personal Data.

“QEH is currently contacting all concerned patients or their families to inform them of the incident and to express apologies. … The hospital is very concerned about the incident, and will conduct an in-depth investigation as well as follow-up in accordance with HA’s Human Resources policy,” the hospital said in a statement [PDF]

Jeff Goldman Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

This field is required This field is required

Get the free Cybersecurity newsletter

Strengthen your organization’s IT security defenses with the latest news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

This field is required This field is required