A healthcare chain in Hong Kong has shared a database containing the personal information of more than a million customers among several of its member companies without their consent, the privacy watchdog has found, although the business insists strict limits on access were set.

The Office of the Privacy Commissioner for Personal Data on Monday also issued an enforcement notice to Fotomax, following a ransomware attack on the photo printing chain database that involved more than 500,000 customers.

In response to the individual cases highlighted in the privacy watchdog’s report, EC Healthcare clarified that no data security issues such as leakage by third parties were involved after an internal investigation.

The watchdog launched its investigation into EC Healthcare after receiving two complaints involving four of the member companies. The office said 28 of 39 brands under the healthcare company, including paediatric wellness centre Primecare and cosmetic surgery provider Dr Reborn, had adopted an integrated internal database, which involved the data of about 1.08 million customers.

“Such practices are disappointing both from the perspective of compliance with the legal requirements and that of respecting clients’ will,” privacy commissioner for personal data Ada Chung Lai-ling said.

EC Healthcare, founded in 2005, offers services ranging from beauty treatments to dental care and hair treatments across the city, mainland China and Macau, and is listed on the Hong Kong stock exchange.

In one of the cases, a mother said she accompanied her daughter to Primecare and provided the personal information of a relative to the clinic for contact purposes. Two years later, the relative received a text message from Dr Reborn that included the daughter’s name.

When the relative asked staff members about the message, they said that as the doctor at Primecare had joined Dr Reborn, his clients’ personal data had also been transferred over.

The second complaint involved a customer who provided his personal data to chiropractic and physiotherapy centre NYMG, acquired by EC Healthcare.

Staff at another company owned by the chain, re:HEALTH, then called the customer and addressed him by his full name, explaining that since he previously visited NYMG, they could use EC Healthcare’s database to access client data.

“After acquiring Primecare and NYMG, EC Healthcare failed to obtain consent from the two complainants for the use, disclosure and transfer of their personal data among the various brands within the group, and never informed them by any means that their personal data would be stored in the system,” Chun said.

The privacy watchdog said the company had breached the requirements of the Personal Data (Privacy) Ordinance and it had issued an enforcement notice directing it to remedy and prevent such a situation from reoccurring.

An enforcement notice was also issued to photo printing chain Fotomax, following a ransomware attack on the company’s database.

Fotomax lodged a data breach notification with the privacy watchdog ​in November last year, saying that its online store database had been attacked by ransomware the month before.

A total of 544,862 members and 73,957 customers who had ordered products and accepted services from its online store between November 16 in 2020 and October 26 last year were affected by the incident.

The watchdog said Fotomax had serious deficiencies in risk awareness and personal data security measures, and had failed to take all practicable steps to ensure that the data involved was protected from unauthorised or accidental access or use.

It urged organisations to conduct regular risk assessments and enhance information systems management to prevent being targeted by hackers.

In a statement on Monday evening, EC Healthcare said the company had not made customer information under all of its member companies available to all frontline staff, adding that it had set limited data access rights based on the roles of the staff concerned.

It also said it had already submitted a remedial plan to the privacy watchdog in September which involved holding internal training for all of its staffers and carrying out regular spot checks.