South Korea: Major health data breach hits sector ‘weak’ in compliance
Rocio Galeote has more on the case in South Korea that involves the allegedly illegal sale of prescription information to IMS Health Korea and the transfer of that info to IMS Health in the U.S., etc. The breach impacts 43 – 44 million Koreans. I still haven’t seen anyone name the systems developer who’s also charged by prosecutors.
In the first case, the Task Force investigated a medical information systems developer and the Korean Pharmaceutical Information Center (‘KPIC’), and found that they had provided IMS Health Korea, a data service and consulting company, with patients’ health information data without their consent. The Task Force also found that IMS Health Korea had transferred this information, without a sufficient level of encryption, to its headquarters in the US to produce statistics.
That last bit about insufficient encryption is news to me. On that point, DataGuidance reports:
Keun Woo Lee, Partner at Yoon & Yang LLC, informed DataGuidance, “IMS Health Korea has asserted that patients’ registration numbers were encrypted and unidentifiable, and thus it would not run afoul of PIPA, however, the Task Force has not agreed. According to the latter, the encryption method used by IMS Health Korea was simply to substitute numbers into letters.“
If that’s true, wow.
Read more on DataGuidance.