Recently, Shandong pregnant woman Liu Li (pseudonym) suddenly received an application to add "friend": "XX Postpartum Center, providing professional postpartum services for you." Her heart tightened - a few days ago, she had just completed a prenatal examination at a local hospital and maternal and child health hospital, and had never left any maternity information at any institution before. The other party is well aware of various private information such as phone number, address, and gestational week. ”Liu Li immediately called 12345 to file a complaint. The next day, the hospital customer service contacted her and said, "It may be that the XX confinement center is using the name of the hospital to promote sales." The staff admitted that this kind of incident "is not the first time it has happened," and the hospital promised to investigate the matter thoroughly and hoped that Liu Li would cooperate in collecting evidence and pursuing accountability. Liu Li's experience is not an isolated case. In recent years, from the leakage of celebrity medical records to the sale of ordinary patient medical records, medical information leakage has formed a mature black industry chain. How can patient privacy be stolen? How does illegal trading operate? How can we cut off this' black hand '? A reporter from the Rule of Law Daily launched an investigation into this matter. Spending money can check medical records. Recently, reporters searched on social media platforms using keywords such as "medical information" and "medical records" and found many posts containing implicit language, such as "address travel", "location tracking trajectory", "room opening", "transaction flow", "file", "records (social security records, medical insurance records, medical records, etc.)". One of the posts contains information pointing to a social account with an IP address located overseas. The reporter sent a private message to the account inquiring about "how to check someone's medical records". The other party sent a "business order" that stated that they could check someone's phone location, front and back information of their ID card, marriage records, social security records, medical insurance records, medical records, academic qualifications, all assets, and other information. Among them, mobile phone number, ID card number and city are required to query medical records. The query results include all medical records, medical insurance records and hospitalization records. The issuing time is 1 to 2 days, and the price is 1200 yuan. "Only the other party's mobile phone number, no ID card number, and no city where he is, can you check the medical records? ”In response to the reporter's question, the other party quickly replied, "Just add another 100 yuan. The account once posted a post in mid April this year titled "Historical Medical Records, Medical Insurance Records, Precise; Personal Privacy Check for Pre marital Health Check, Abortion Records, etc.", which included two pictures and three options for someone's medical records, consumption records, and social security contributions. In the medical record column, you can see information such as the name of the designated medical institution, processing time, start time, end time, type of medical certificate, medical category, disease name, hospitalization diagnosis name, surgical operation name, etc. In the column of "disease name", there are irregular menstruation, viral rash, influenza, menstrual disorder, post abortion, depression, inevitable abortion and other information. A large number of such accounts exist on the Internet. According to the official account of "Nettrust Shanghai", recently, in the special law enforcement action, the Shanghai Nettrust Office found that a number of medical service Internet enterprises (mainly engaged in medical software development and maintenance, medical service training, digital health services, etc.) failed to fulfill their obligations of network security and data security protection according to law, and their systems had network security vulnerabilities, which were accessed and stolen by overseas IP. Personal information leakage has occurred, reflecting that some medical service Internet enterprises have problems such as non-standard and imperfect personal information systems, loose security protection, and storage non-compliance. Shanghai Cyberspace Office has imposed administrative penalties on a number of medical service Internet enterprises in accordance with relevant laws and regulations. An industry insider who has been undercover in the "Box Opener Group" bluntly stated that some "Box Openers" will illegally expose a large amount of medical information and make malicious speculations. Some people's physical examination reports, visceral and orthopedic ultrasound images have been illegally made public, becoming objects of surveillance and sexual desire by others; Some people's gynecological and psychiatric medical reports have been illegally made public, and have been criticized and ridiculed by others. How were medical information leaked through multiple channels? Liu Xin, a professor at the Evidence Science Research Institute of China University of Political Science and Law and director of the Medical Law and Ethics Research Center of China University of Political Science and Law, told reporters that there may be several possible ways of leakage: loopholes in outsourcing services, third-party inspection agencies, medical equipment maintenance providers and other partners accessing patient data; The patient neglected and casually discarded examination documents and prescription forms containing personal information; Public scenes leaked, hospital Wi Fi was implanted with theft programs, and self-service terminals were hacked. In addition, some patients' medication records may also pose a risk of data leakage during the medical insurance settlement process. Obstetrics and neonatology are the hardest hit areas. ”Liu Xin pointed out that a small number of medical personnel regard patient information as a "resource" and sell it as a "commodity". The Notice of the Supreme People's Procuratorate on Printing and Distributing Typical Cases of Procuratorial Organs Punishing Crimes of Infringement of Citizens' Personal Information in accordance with the Law once reported such a typical case: Wu Jia and Wu Yi are operators of a health massage center. In order to expand the customer base, Wu Jia proposed to Wei, the head nurse of a hospital's obstetrics department, that Wei provide maternity information and promised to pay Wei 50 or 60 yuan for each customer development. If the customer subsequently purchases a card, an additional 10% commission will be paid to Wei. As of the incident, Wei has sold over 500 pieces of maternal health and physiological information, including the name, home address, phone number, delivery date, delivery method, etc., to Wu Moujia and Wu Mouyi. The reporter found through reviewing public information that similar cases have occurred from time to time: Fu, an employee of a hospital in Beijing, posted celebrity medical records in a WeChat group to show off, leading to the spread of privacy; The director of a hospital in Shanghai has been suspended from practice for privately spreading nude photos of patients. There are also system vulnerabilities that allow third-party platforms to become backdoors. In the information leakage incident of 32 parturients in a obstetrics and gynecology hospital in Zhejiang, the culprit is a third-party check-in software. The software illegally uploaded data such as gestational age and expected delivery date, ultimately entering the black market. 27000 patient files were stolen from a mental health center in Sichuan Province, due to the lack of encryption in the interface of the provincial medical information sharing platform, which was easily breached by hackers. Under heavy pressure, despite repeated bans, journalists have found that there are currently multiple legal provisions in China that protect patients' privacy rights. For example, Article 28 of the Personal Information Protection Law classifies medical and health information as sensitive personal information, and Article 55 requires personal information processors to conduct a personal information protection impact assessment in advance and record the processing situation. Article 1226 of the Civil Code clearly stipulates that medical institutions and their medical staff shall keep patients' privacy and personal information confidential. Those who disclose patients' privacy and personal information, or disclose their medical records without their consent, shall bear tort liability. According to the Regulations on the Management of Medical Records in Medical Institutions, except for medical personnel who provide diagnosis and treatment services to patients, as well as departments or personnel authorized by the health and family planning administrative department, traditional Chinese medicine management department, or medical institutions to be responsible for medical record management and medical management, no other institution or individual may access patient medical records without authorization. The interviewed experts pointed out that although relevant laws and regulations clearly protect medical privacy, problems such as difficulty in safeguarding rights, soft law enforcement, and low cost of illegal activities are prominent in reality. In Liu Xin's view, although China currently has "three in one" legal protection, such as the Civil Code clearly stating that medical institutions must bear tort liability for leaking privacy; According to the Physician Law and Nurse Regulations, those who disclose information may be warned, suspended from business, or even have their license revoked; The amendment to the Criminal Law stipulates that public officials who disclose information shall be punished severely, but in practice, the direct responsible persons are often punished, and joint liability of managers is rarely pursued. The low cost of illegal activities leads to insufficient deterrence. Medical records have been repeatedly leaked, and there are many underlying reasons for this. One is management negligence, where functional departments have vague definitions of privacy (such as' whether medical traces belong to privacy ') and have not refined employee behavior norms; Secondly, driven by interests, medical personnel have a large profit margin from selling information (such as selling information for 50 yuan per pregnant woman), and it is difficult to investigate and deal with, with a low probability of investigation and punishment; The third is related social problems, such as rampant buying and selling of citizens' personal information, and ineffective measures to expose and control harassing phone calls. ”Liu Xin said. He pointed out that the way to break through the situation should shift from "holding individuals accountable" to "systematic governance", such as strengthening warning education, drawing on anti-corruption models, producing warning videos of typical cases of privacy leakage, and forcing relevant personnel to learn; Improve the joint accountability mechanism, not only punishing the leakers, but also holding accountable institutional managers, forcing hospitals to strengthen internal control; Strictly crack down on the black production chain, increase the crackdown on data trading platforms and illegal buyers, and increase the comprehensive cost of illegal activities; Drawing on international experience, it is stipulated that medical records can only be accessed when necessary to reduce the risk of data leakage. Medical personnel need to establish a professional ethics of 'privacy is the red line' and integrate confidentiality awareness into daily operations; Patients should also cultivate a 'privacy obsession', handle discarded medical documents properly, and actively collect evidence and protect their rights against suspicious marketing calls. ”Liu Xin said. Industry insiders and experts interviewed pointed out that safeguarding medical privacy is not just a legal proposition, but also the bottom line of a civilized society. From encryption technology to severe punishment, from hospital self inspection to public vigilance, only by weaving this protective net can everyone enter the clinic with peace of mind, without worrying about privacy becoming a "commodity" in the hands of others. (New Society)