As an epicenter of the COVID-19 outbreak, China has launched an unprecedented effort to control the disease, locking down Wuhan in the province of Hubei — a megacity of 11 million people.
These measures may have helped protect against transmission, but whether patients' information has been properly protected remains in question. Personal information, such as national ID number, residential addresses and occupations have been leaked online for people who travelled from Wuhan to Shanghai or Inner Mongolia. A citizen discovered his name in online lists after he reported to authorities that he had returned from Wuhan to his hometown of Linhai.
During this unusual time, concerns about information safety are based on the real possibility of prejudice and harassment. Information breaches can also lead to identity theft.
How did China respond to this emergent health incident during the lunar new year celebration, a period of the largest annual human migration in the world, and how did the response influence the privacy of ordinary people?
To understand the context of the illegal information disclosure, we must look at the patient tracking processes used in China and other regions, and the important role of surveillance technologies.
Online maps are good resources for concerned citizens to check whether there is an imminent disease threat in their area. A dashboard developed by Johns Hopkins University presents the coronavirus outbreak using data from the Centers for Disease Control and the World Health Organization. A health map by Boston Children's Hospital, on the other hand, summarizes epidemic alerts through news reports and social media posts.
Artificial intelligence is also tracking the spatial patterns of the epidemic. A Canadian company called BlueDot collects multilingual news reports and data from official public health databases to predict the potential of future outbreaks. Researchers from Harvard Medical School gather authoritative information plus social media data to explore the geographical trends of the disease.
However, Chinese officials need more accurate locations of potential virus spreaders.
Telecommunication companies in China announced a feature that generates a list of recently visited provinces when subscribers text a hotline. Rail stations such as the one in Yiwu required passengers to show their travel history from the hotline before boarding a train, screening out people who had been to Hubei province.
Before this feature rolled out, China had been using licence plates and facial recognition technology to track people who left Wuhan before the city's lockdown. Drones were also used to remind people to wear masks in public areas.
Some municipal governments have "innovative" methods other than technological approaches. Starting Feb. 7, at least three Chinese cities including Hangzhou, Ningbo and Sanya pulled fever and cough drugs off pharmacy shelves so patients with such symptoms would have to visit doctors at hospitals. Some officials from Hebei province in northern China turned "neighbour against neighbour" by offering 1,000 RMB (about $190) to residents for each person from Wuhan they reported.
Outside of mainland China, the Hong Kong government has issued tracking wristbands to families returning from Hubei province. These ensure the Department of Health is notified if the wearer leaves their home during a 14-day quarantine period.
Similar strategies have been used in Taiwan, where smartphones have been assigned to notify police if patients are not quarantined at home. Whether the monitoring technologies turned home quarantine to "house arrest" remains debatable.
Tracking down patients is troublesome enough, but whether their sensitive information is released depends on local administrations.
A study found that after a list of hospitals with MERS-CoV patients was disclosed to the public in South Korea in 2015, the number of laboratory-confirmed MERS-CoV patients decreased significantly. The study published in January indicates that responsible information disclosure helps control infectious respiratory diseases.
Possibly inspired by previous experience, the South Korean government is extremely open about communicating patient activities to the public. Officials published travel data on the 29 confirmed patients on the Ministry of Health and Welfare website compiled by aggregating data from cell phone, credit card and transit card records, as well as CCTV footage. The Hong Kong government had a similar measure, publishing a list of apartments with quarantined residents on the Department of Health's website.
Japanese authorities, however, are in disagreement on disclosing travel data on coronavirus patients. The Japanese Health, Labour and Welfare Ministry provided no details. However, after the driver of a bus that transported tourists from Wuhan became infected with COVID-19, the Nara Prefectural Government shared the locations the bus had visited.
Some U.S. states are in line with the Japanese Health Ministry and make patient privacy a priority. On Feb. 5, Ohio passed a new protocol protecting patients' places of origin while their cases are under investigation. Florida has a similar state law that prevents public access to information about suspected patients.
While patient information disclosure practices vary from one administration to another, laws are in place to guard against improper management of sensitive information.
In China, the personal information protection regulation is called Cybersecurity Law of the People's Republic of China, and best practices of personal information handling are described in Personal Information Security Specification.
A notice from the Cyberspace Administration of China (CAC) on Feb. 9 clearly states that personal information such as "names, ages, identity card numbers, telephone numbers, household addresses and other such information" may not be used for purposes other than "epidemic control and disease prevention."
In the United States, the Health Insurance Portability and Accountability Act (HIPAA) explains under what circumstances health-care professionals may disclose patient information to families, public health agencies and the media. The Family Educational Rights and Privacy Act (FERPA) provides additional guidance for health practitioners in different settings such as university hospitals.
U.S. Department of Health and Human Services also posted a bulletin to remind health-care workers that information about "an identifiable patient" may not be disclosed to the media or the public without "the patient's written authorization" except in special circumstances.
In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) is the national privacy law that regulates personal information disclosure, including health-related practices. Under PIPEDA, and under provincial patient privacy legislation where it exists, consent is required to collect, use or disclose an individual's personal health information. To date, only unidentifiable patient information has been released by health officials to create a timeline of cases in the country.
With strict enforcement of privacy law, wide disease prevention education and proper location information disclosure, it is hoped that patient information leaks will diminish in China, and patient privacy will be better protected during an epidemic outbreak.