The Personal Information Protection Commission unveiled its disciplinary actions against 17 general hospitals that leaked patient information to pharmaceutical companies on Thursday. (Credit: Getty Images)
The Personal Information Protection Commission unveiled its disciplinary actions against 17 general hospitals that leaked patient information to pharmaceutical companies on Thursday. (Credit: Getty Images)

Seventeen university hospitals have been disciplined by the Personal Information Protection Commission (PIPC) for leaking patient information to pharmaceutical companies.

The commission said Thursday that it has advised 17 university hospitals that violated personal information protection laws to improve their personal information handling practices. The commission also imposed fines on 16 hospitals.

According to the PIPC’s recent investigation, 185,271 patients’ information was leaked from 17 university hospitals between April 2018 and January 2020. Severance Hospital made the most extensive leak, with 57,912 patients.

Employees at nine hospitals handed patient information to pharmaceutical company employees, and those at four hospitals ignored pharmaceutical company employees’ obtaining of their patients’ information. Pharmaceutical company employees gained access to hospital systems at two institutions by stealing accounts.

Hospital and pharmaceutical company employees involved in the leakage of patient information are under police investigation for violating the Personal Information Protection Act.

The investigation also found that 16 university hospitals did not keep records of personal information handlers’ access to the personal information processing system for more than two years or did not correctly check reasons for downloading personal information and access records.

Hallym University Sacred Heart Hospital, Dongtan Sacred Hospital, Kangnam Sacred Hospital, and Hangang Sacred Hospital did not keep records of access to the personal information processing system for over three years, despite changes in the personal information handlers. They also did not take security measures for auxiliary storage media, including USBs. Soon Chun Hyang University Hospital Seoul and Konkuk University Chungju Hospital also did not have security measures for secondary storage media.

Kangbuk Samsung Hospital and Korea University Guro Hospital were found to have weak personal information processing systems, allowing physical access without authorization.

“We hope the investigation serves as an opportunity for general hospitals that process a large amount of sensitive information to raise awareness of personal information protection and to recognize that they should check their personal information processing systems regularly and conduct personal information protection training for internal employees,” a commission official said.

Copyright © KBR Unauthorized reproduction, redistribution prohibited