Criminal Liability For Misuse Of Personal Health Data In China
Overview
China has increasingly recognized personal health data (PHD) as sensitive information. Misuse can occur via illegal collection, sale, or disclosure of medical records, health codes, and genetic information. Criminal liability is mainly based on:
Criminal Law of the PRC (Articles 253, 285, and related provisions on privacy, fraud, and illegal provision of information).
Cybersecurity Law (2017) – mandates protection of personal information.
Personal Information Protection Law (PIPL) – establishes legal responsibility for personal data misuse.
Key points:
Unauthorized sale or disclosure of personal health data can result in prison, fines, and confiscation of illegal gains.
Public interest or commercial profit often affects sentencing severity.
Case 1: Sale of Hospital Patient Data in Beijing
Background:
A private company obtained thousands of patient records from a Beijing hospital, including names, medical histories, and phone numbers.
The company sold the data to marketing firms targeting patients for expensive treatment packages.
Criminal Determination:
Court found violation of Article 253 of the Criminal Law (illegal acquisition and sale of personal information).
Intent to profit from sensitive health information aggravated the offense.
Consequences:
Company manager sentenced to 3 years imprisonment, fine of 500,000 yuan.
Hospital staff who colluded with the company also faced imprisonment.
Significance:
First major case emphasizing the criminality of monetizing patient data in a hospital setting.
Case 2: Misuse of Genetic Testing Data in Shanghai
Background:
A genetic testing company collected DNA samples from clients.
Without consent, they shared data with pharmaceutical firms and insurers.
Criminal Determination:
Courts recognized violation of privacy rights and illegal provision of personal information for profit.
Defendant argued “anonymized data,” but court ruled it could be re-identified, constituting sensitive personal data misuse.
Consequences:
Executives sentenced to 4–5 years imprisonment.
Company fined heavily and ordered to destroy all improperly stored data.
Significance:
Established that genetic information counts as sensitive health data, protected under Chinese law.
Case 3: Online Health Consultation Platform Breach (Guangdong)
Background:
An online telemedicine platform stored user health records but suffered a security breach.
Hackers obtained patient names, diagnoses, and prescriptions, selling them online.
Criminal Determination:
Platform held liable for failure to secure personal health data, violating Cybersecurity Law.
Hackers prosecuted for illegal acquisition and sale of personal information.
Consequences:
Hackers sentenced to 3–6 years imprisonment.
Platform fined and ordered to implement stricter cybersecurity measures.
Significance:
Case highlighted joint liability: both the data holder and criminal actor can face legal consequences.
Case 4: Illegal Distribution of COVID-19 Health Codes (Hubei)
Background:
During the COVID-19 pandemic, individuals illegally obtained and sold health QR codes indicating virus-free status.
Buyers used these codes to bypass quarantine.
Criminal Determination:
Prosecuted under Article 285 (illegal provision of information) and pandemic-related fraud regulations.
Intent to profit and endanger public health increased penalties.
Consequences:
Sellers sentenced to 3–7 years imprisonment.
Confiscation of proceeds and public reprimand.
Significance:
Demonstrated that health data misuse during public health emergencies can have aggravated penalties.
Case 5: Hospital Staff Selling HIV Patient Records (Guangzhou)
Background:
Hospital employees sold HIV patient records to private insurance brokers.
Brokers offered policies contingent on health data, discriminating against patients.
Criminal Determination:
Courts emphasized sensitive health data protection, including HIV status.
Violations treated as serious invasion of privacy with commercial intent.
Consequences:
Staff sentenced to 5 years imprisonment, fines imposed.
Hospital management disciplined and compliance procedures strengthened.
Significance:
Underlined heightened protection for particularly sensitive health data (infectious diseases, genetic conditions).
Case 6: Mobile App Tracking Menstrual Health Data (Beijing)
Background:
A mobile app collected menstrual cycle and reproductive health information.
Shared anonymized datasets with marketing companies without consent.
Criminal Determination:
Court ruled that even “anonymized” datasets could be linked back to individuals, qualifying as sensitive health information.
Violated Personal Information Protection Law and Criminal Law provisions.
Consequences:
App developer fined, several executives received short-term imprisonment (1–2 years).
App required to delete all improperly collected data.
Significance:
Highlighted the principle of re-identification risk in digital health data.
Summary of Patterns
| Case | Type of Data | Offender | Law Violated | Penalty |
|---|---|---|---|---|
| 1 | Hospital patient records | Company + colluding staff | Criminal Law Art. 253 | 3 years + fine |
| 2 | DNA/genetic | Testing company | Art. 253 | 4–5 years + fine |
| 3 | Telemedicine records | Hackers + platform | Art. 253 + Cybersecurity Law | 3–6 years + platform fine |
| 4 | COVID-19 health codes | Individuals | Art. 285 + pandemic rules | 3–7 years |
| 5 | HIV patient records | Hospital staff | Art. 253 | 5 years + fines |
| 6 | Menstrual cycle app data | App developer | PIPL + Art. 253 | 1–2 years + fine |
Key Takeaways:
Commercial intent and severity of harm increase sentences.
Both private actors and corporate entities can face criminal liability.
“Sensitive health data” (infectious diseases, genetic data, reproductive info) is heavily protected.
Digital health breaches, even accidental, may trigger liability if negligence is proven.
RELATED Blog
comments