43 million South Koreans had their medical information leaked

Over the weekend on PogoWasRight.org, I linked to an editorial from The Korea Herald about the sale of medical information of 43 million people (nearly 90% of the Korean population). The editorial began:

A company specializing in developing medical fees settlement programs used by hospitals and the Korea Pharmaceutical Information Center — which distributed free pharmacy management software to nearly half of the country’s pharmacies — were caught having sold a vast amount of data to a multinational firm, IMS Health Korea, whose U.S. headquarters, in turn, processed the big data and sold information on pharmaceuticals usage to companies in Korea.

The 2011 law on personal information protection law forbids the usage of personal information and medical information without consent. The Korea Pharmaceutical Information Center, in fact, is currently being tried for illegally collecting and distributing medical information in 2013.

IMS Health raised a 7 billion won profit by selling its report, created using illegally collected data, to Korean pharmaceutical companies.

Today, I came across earlier coverage from Yonhap News on July 23rd about the related prosecution:

A joint team of prosecutors and government officials said 24 people from a medical program development firm, only identified by the initial “G,” and a statistics company, known only by the initial “I,” were indicted for allegedly handling patients’ records of doctor visits and prescribed medication, pocketing some 10 billion won (US$8.59 million).

After receiving the data, the multinational statistics company sold the information to pharmaceutical companies after reprocessing the information based on patients’ personal information such as sex, age, disease and region.

South Korea’s largest telecommunication company SK Telecom Co. was also charged with gathering patients’ information without their consent through its health care business.

SK Telecom Co. denied the accusation.

“We were just electronically handing over patients’ prescriptions from hospitals to pharmacies,” a company spokesman said.

[…]

This is clearly a privacy/data protection situation, but given that it’s being prosecuted criminally, it seemed worth noting on this site for the benefit of those who would include it in their analyses of breaches. Do we conceptualize this as an insider (intentional or malicious) breach or not?

About the author: Dissent