The Department of Health (DH) said on January 28 it is seriously following up on a case involving a Dental House Officer (DHO) suspected of unauthorised access to medical records, and has referred the matter to law enforcement agencies for criminal investigation.
The case came to light after the Electronic Health Record Registration Office referred a public enquiry to the DH. The individual questioned why he had received an SMS notification stating that his electronic health records (eHRs) had been accessed by a DH healthcare officer, despite not having used DH services recently.
The DH immediately launched an investigation and preliminarily found that a DHO employed under non-civil service terms had repeatedly accessed the medical records of 16 individuals without consent. The records were accessed through the clinical information management system of a school dental clinic and the eHealth platform. None of the individuals concerned were patients of the DHO, who claimed they were personally known to him.
The DH has reported the case to the Office of the Privacy Commissioner for Personal Data, the Commissioner for Electronic Health Record, and the Dental Council of Hong Kong. The affected individuals have been notified, and the DHO has been suspended from duty.
Under the Dentists Registration Ordinance (Cap. 156), local dental graduates must complete an internship before full registration. The DH said the internship is designed to enhance clinical experience, professional judgement and ethical standards in real-life practice.
The DH noted that professional conduct, codes of practice, and patient data protection are clearly explained during the DHOs’ orientation programme. In addition, professional development programmes organised by the Faculty of Dentistry at the University of Hong Kong (HKU) cover ethical responsibilities and legal requirements for safeguarding personal information. In response to the incident, HKU’s Faculty of Dentistry will strengthen training on information technology security for dental students and interns.
To prevent similar incidents, the DH said it will review and enhance internal system security measures. Staff and healthcare personnel have been reminded to strictly follow internal IT security guidelines and rules governing the use of eHealth.
The DH emphasised that healthcare personnel must comply with relevant laws, including the Electronic Health Record Sharing System Ordinance (Cap. 625), obtain patient consent, and adhere to the principles of “Need to Know” and “Patient Under Care” when accessing medical records. All eHealth access is tracked to prevent abuse.
The department stressed that it places great importance on staff integrity and has established mechanisms to regulate conduct and discipline. Any substantiated misconduct or unlawful acts will be handled seriously and impartially in accordance with established procedures.