South Korea PIPC Fines 6 Medical Entities For Unlawful Processing

The Personal Information Protection Commission (PIPC) sanctioned the entities for a number of violations. It was found personal data was leaked due to inadequate security. Affected individuals were not immediately notified about the breach. They were also not advised on what they could do to mitigate damage to their personal data. The entities also failed to destroy personal data once its purpose had been fulfilled. And they failed to notify employees that they personal data was disclosed to a service provider.

The PIPC took action against a plastic surgery clinic, a dermatology clinic, a medical association, a medical centre, a hospital and a pharmacist. They were all found to be violating the Personal Information Protection Act (PIPA).

Findings

Plastic surgery clinic

  • Failed to notify employees that their personal data was shared with a service provider
  • Did not encrypt customer and employee personal information
  • Failed to provide adequate security measures for safeguarding personal data
  • Did not immediately notify patients of what data was leaked during a data breach
  • Failed to provide ways to minimise damage resulting from the data breach

Dermatology clinic

  • Failed to provide adequate security measures for safeguarding personal data
  • Did not destroy personal data after the:
    • relevant retention period had passed
    • purpose of processing had been fulfilled

Medical association

  • Failed to provide notice about it’s data collection practices on its website
  • Processed personal information without express consent of the data subject
  • Failed to notify employees that their personal data was shared with a service provider
  • Did not destroy personal data after the:
    • relevant retention period had passed
    • purpose of processing had been fulfilled
  • Failed to provide adequate security measures for safeguarding personal data

Medical centre

  • Failed to provide adequate security measures for safeguarding personal data

hospital

  • Failed to provide adequate security measures for safeguarding personal data

Pharmacist

  • Did not encrypt customer and employee personal information
  • Failed to provide adequate security measures for safeguarding personal data
  • Did not immediately notify patients of what data was leaked during a data breach
  • Failed to provide ways to minimise damage resulting from the data breach
  • Did not destroy personal data after the:
    • relevant retention period had passed
    • purpose of processing had been fulfilled

Fines

Plastic Surgery Clinic:
Fined KRW 10,600,000 ($8,916 USD)

Dermatology Clinic:
Fined KRW 42,000,000 ($35,329.15 USD)

Medical Association:
Fined KRW 16,000,000 ($13,458.72 USD)

Medical Centre:
Fined KRW 6,000,000 ($5,047.02 USD)

Hospital:
Fined KRW 6,000,000 ($5,047.02 USD)

Pharmacist:
Fined KRW 18,125,000 ($15,246.21 USD) for failing to encrypt customer personal data.
Fined KRW 9,000,000 ($7,570.53 USD) for its other violations.
Total KRW 27,125,000 ($22,816.74 USD).

Value Privacy can do a privacy health check for your business to make sure that all the information you handle is protected. Contact us today to find out how we can help.

Total
0
Shares
Previous Post

Argentina Court Grants Appeal in Favor of Google

Next Post

LA Patient Data Hacked

Total
0
Share
en_USEN