Medical data on 44 million Koreans sold abroad

Another massive personal information leakage in Korea has come to light, this time not by hackers but in a for-profit business deal.

A joint governmental investigation team announced on Thursday that it is prosecuting the president of the Korean branch of a multinational medical information processing company and 23 others for illegally circulating and profiting from more than 4.7 billion medical and prescription records of 44 million patients in Korea.

The company, which acts as a consultant to the health and pharmaceutical industries, is suspected to have bought the information from a software company and the Korea Pharmaceutical Information Center, according to prosecutors, and has profited from the information to the tune of 7 billion won ($6 million).

The software company provided hospitals with medical information programs. It is believed to have collected 720 million medical treatment records from 7,500 hospitals across the country without the consent of patients from March 2008 to last November. The software company allegedly sold 430 million records to the medical consulting company for 330 million won.

Investigators say the software company violated the personal information code because the records had patients’ names, birth dates and names of diseases and drugs, which infringes their privacy. The law requires the consent of patients for the circulation of such information. 

The consulting company allegedly spent another 1.93 billion won to buy about 4.3 billion pharmaceutical compounding records from the Korea Pharmaceutical Information Center, which collected the information from 10,800 pharmacies from January 2011 to November 2014 through a program it distributed to them. The records also contain resident registration numbers of patients, diseases, compounds and doses of medicine. The investigators said the center did not explain that it was collecting the information through the program it gave to pharmacies.

The consulting company sent the 4.7 billion records of 44 million patients back to its headquarters in the United States, turned it into a database and earned about 7 billion won by selling it to domestic pharmaceutical companies, said the investigators. The pharmaceutical companies used it for marketing, which the investigators explained is not against the personal information security code.

The leaked data isn’t believed to have been used for other uses, such as voice phishing. 

“The information leaked this time hasn’t been found to have been utilized for other uses,” the prosecution said. “[The consulting company] said the data sent to the headquarters in the U.S. is securely managed or discarded there.”

The investigators also discovered shady practices by one of the country’s mobile carriers, which allegedly received about 78 million prescriptions of patients without their consent from 23,060 hospitals and earned 3.6 billion won by providing them to pharmacies in its electronic prescription project from October 2011 to last March.

The mobile carrier’s project was a service for pharmacies, the investigators said, though the Ministry of Health and Welfare sees it as misconduct because the ministry did not approve of the service. Following the announcement on Thursday, the ministry also released details of a plan to strengthen personal information security in the medical field. It is planning to carry out qualification tests for medical information programs and requiring hospitals to use only qualified programs. Some 100 outside companies that provide such programs in Korea are also required to officially register them with the government. Additionally, programs that are used for personal information leakage will be suspended for three years.