Patient Privacy at Risk as South Korea Delays Medical Record Safeguards (Yonhap)
SEOUL, Oct. 2 (Korea Bizwire) — Despite repeated warnings, South Korea’s legal framework still fails to prevent unauthorized access to patients’ medical records, leaving sensitive information vulnerable to misuse.
At the center of the concern is a glaring legislative gap: under current medical law, hospitals are only required to keep logs when electronic medical records (EMR) are added to or altered. Simply opening a patient’s file — even without consent or medical justification — does not legally require a record of who accessed the data.
This loophole was most visibly exposed in 2016, when dozens of medical staffers were found to have viewed the late farmer Baek Nam-gi’s medical records without authorization. At the time, investigators struggled to identify or punish those responsible because simple “view-only” access left no mandatory audit trail.
Technically, Health Ministry guidelines stipulate that all actions, including viewing, input, modification and deletion of EMRs, should be logged. But because the rule is only an administrative order, not a statutory requirement, enforcement has largely been left to the discretion of medical institutions. Critics liken it to “CCTV that records, but doesn’t track who comes and goes.”
Korean Hospitals Still Vulnerable to Unauthorized Medical Record Access (Image supported by ChatGPT)
The problem is compounded by widespread practices within hospitals. Doctors and nurses often share login IDs to keep pace with demanding workloads, while proxy prescriptions under another staffer’s account are tacitly tolerated. In such cases, even existing access logs cannot reliably identify who viewed or altered a record.
Privacy advocates warn that without stronger oversight, patients remain exposed. Even when breaches are discovered, hospitals frequently handle incidents internally, with mild sanctions that rarely deter repeat offenses.
Experts are calling for systemic reform. Proposed solutions include mandatory two-factor or biometric authentication for medical staff, stricter bans on ID-sharing, and stronger external monitoring.
Lawmakers and watchdogs argue that tying EMR oversight to national audits by agencies such as the Health Ministry or the Board of Audit and Inspection is essential to restoring trust.
“Right now, it’s too easy for institutions to police themselves,” one parliamentary researcher said. “Without clear legal obligations and independent oversight, patients’ most sensitive information will remain at risk.”
M. H. Lee (mhlee@koreabizwire.com)
