On a global scale, incidents of leakage of patient privacy by hospitals or medical institutions occur from time to time, and specific cases and responsible persons usually involve institutional management negligence or illegal acts by individual employees. The following are a few typical cases that have been publicly reported and related processing results： --- ### **1. Anthem Inc. Data breach incident (2015)** -**Incident**: Anthem, the second largest health insurance company in the United States, suffered a hacking attack, and the personal information of approximately 78.9 million patients (including names, dates of birth, social security numbers, etc.) was stolen. -**Responsible person**: The investigation showed that Anthem was sued for failing to implement sufficient network security measures. The company eventually paid a集体115 million class-action settlement and paid a罚款1.6 million fine to the U.S. Department of Health and Human Services (HHS). -**Legal basis**: Violation of the U.S. Health Insurance Portability and Accountability Act (HIPAA). --- ### **2. Illegal access to medical records by British hospital employees (2020)** -**Incident**: An employee of a hospital in the British National Medical Service (NHS) accessed the medical records of multiple patients without authorization, including celebrity cases. -**Responsible person**: The employee involved was fired and faced criminal prosecution, and was eventually sentenced to imprisonment, probation and a fine. The NHS was fined £180,000 by the Information Commissioner's Office (ICO) for poor supervision. -**Legal basis**: Violation of the British "Data Protection Act" (GDPR). --- ### **3. Internal data breach of a hospital in China (2018)** -**Incident**: A top-three hospital in China was exposed to insiders selling pregnant women's information to a maternal and child product promotion company, involving tens of thousands of patient privacy data. -**Responsible person**: The staff of the Information Department of the hospital involved were criminally detained by the police, and the main person in charge of the hospital was interviewed by the Health Commission and the whole hospital reported criticism. The hospital was ordered to rectify and fined. -**Legal basis**: Violation of China's "Personal Information Protection Law" and "Network Security Law". --- ### **4. Information leakage of people living with HIV in Singapore (2019)** -**Incident**: The database of the Ministry of Health of Singapore was hacked, and the personal information of about 14,200 people living with HIV was disclosed on the Internet. -**Responsible person**: After investigation, the incident was caused by illegal actions by employees of a third-party contractor. The company involved was terminated, and the Ministry of Health strengthened data encryption measures and apologized to the public. -**Legal basis**: Violation of Singapore's Personal Data Protection Act (PDPA). --- ### **5. Leaked medical records of employees of the UCLA Health system in the United States (2021)** -**Incident**: Multiple employees of the University of California, Los Angeles Medical Center (UCLA Health) accessed celebrity medical records without authorization, including medical records and examination results. -**Responsible person**: The employee involved was fired and faced HIPAA violation charges. The hospital was fined US11.2 million for failing to effectively monitor data access. -**Legal basis**: Violation of HIPAA privacy rules. --- ### **6. Indian hospital database publicly exposed (2022)** -**Incident**: The cloud database of a private hospital in India was publicly exposed due to a configuration error, resulting in the diagnosis records and contact details of millions of patients being freely downloaded. -**Responsible person**: The person in charge of the hospital's information technology department was suspended, and the hospital paid a fine to the Indian data protection Agency and upgraded its security system. -**Legal basis**: Violation of India's Personal Data Protection Act (draft). --- ###**Commonalities and legal responsibilities of the incident** -**Institutional responsibility**: In most cases, hospitals or institutions are held accountable for “failing to implement reasonable data protection measures” and face high fines or rectification requirements. -**Personal responsibility**: The employees involved may be fired, fined or even sentenced (such as violating the “crime of infringing on citizens' personal information” in the Criminal law). -**Legal framework**: Countries generally adopt special legislation (such as HIPAA, GDPR, and China's Personal Information Protection Law) to strengthen the protection of medical data. --- ###**How to prevent similar incidents? ** 1. Medical institutions need to conduct regular data security audits； 2. Privacy protection training for employees； 3. Adopt encryption technology and access control； 4. Establish an emergency response mechanism for data leakage. For more details on specific cases, please refer to the public notifications of national health departments or data protection agencies.