Two Firms Issued Privacy Enforcement Notices

The Office of the Privacy Commissioner for Personal Data has issued enforcement notices against a medical service provider and a photofinishing chain, saying both violated the Personal Data Ordinance.

Announcing the results of an investigation on Monday, the office said it took action against EC Healthcare after receiving complaints about four of its centres.

The office said 28 of 39 brands under EC Healthcare, including Primecare and Dr Reborn, have adopted an integrated internal database involving the data of around a million members.

In one case, a complainant who visited a doctor in Primecare was told that her information had been transferred without notice to Dr Reborn, which the doctor had later joined.

Privacy Commissioner Ada Chung called such acts "disappointing", adding that the medical group failed to consult its clients before sharing their data.

"EC Healthcare failed to obtain the relevant consent from its customers before it put their personal data in the internal integrated system for use among the 28 brands. In this regard, I find their practice disappointing," she said.

Chung added that her office will step up monitoring efforts on large healthcare organisations.

Meanwhile, photofinishing chain Fotomax has been issued an enforcement notice following a ransomware attack on the database of its online store.

The incident in October last year affected 544,862 members and 73,957 customers who had made purchases online.

Chung said Fotomax had "serious deficiencies" when handling the matter, such as misevaluating security vulnerability risks and delaying implementation of multi-factor authentication.

"Fotomax lacks the awareness of risks, and it also has serious deficiencies in its information system security, that lead to the hacking event, and that actually is the direct cause of the hacking event," she said.

The office urged companies to conduct regular risk assessments and enhance information systems management to prevent hacker attacks.