About 2,000 doctors and patients filed a damage suit of 5.4 billion won ($4.7 million) against Korea Pharmaceutical Information Center (KPIC)약학정보원, Korean Pharmaceutical Association(KPA)대한약사회, and IMS Health Korea IMS헬스코리아 for their alleged leaks of personal information, but lost.
The Seoul Central District Court Monday said it admitted KPIC and IMS Health Korea leaked patients’ personal information and violated the privacy protection law. Noting there wasn't enough evidence that they harmed the people and the legal application period was over, however, it decided in favor of KPIC.
Prosecutors raided KPIC and IMS Health Korea in December 2013 on suspicion of violating the personal information protection law. They said KPIC collected personal information of patients and doctors by using PM 2000, a pharmacy claims management program it developed and distributed to drugstores, and provided the information for multinational company IMS Health Korea.
KPIC provided the collected information to IMS Health Korea. And as the level of encryption was low, personal identification was possible in the process.
A special committee on medical information protection under the planning and policy committee of the Korean Medical Association filed the lawsuit in 2014, demanding to compensate 3 million won ($2,650) per doctor and 2 million won per patient.
Besides KPIC and IMS Health Korea accused of the personal information leakage, the KPA, the primary operator of PM2000, was included among the targets of the suit.
The court, however, ruled against the plaintiffs three years after they filed the suit.
The court saw KPIC and IMS Health Korea violated the personal information protection law because the encryption of the information they had collected from 2011 to June 2014 through PM2000 was low and identification was possible.
As the personal information wasn’t leaked to the outside of IMS Health Korea and not used in crimes, however, the judges said there were not enough grounds to think they inflicted damage to the plaintiffs.
In other words, the court acknowledged the defendants violated the personal information protection law, but did not need to make compensation because they didn’t generate damage to the plaintiffs.
Now that the judges admitted the charge of violating the personal information protection law, the court is likely to recognize the same charge in the criminal suit.
Prosecutor demanded imprisonment and fines for IMS Health Korea, Ginus지누스, and KPIC in November 2016 on the charge of violating the personal information protection law and the information and telecommunication law by collecting, providing, and selling patients’ information without permission.
<© Korea Biomedical Review, All rights reserved.>