EC Healthcare Responds to the Investigation Report of the Office of the Privacy Commissioner for Personal Data (“PCPD”) The Group Attaches Great Importance on Clients’ Personal Data Privacy Protection The Group Continues to Enhance the Data Governance and Clients Personal Data Management System and Policy

November 14, 2022

The largest non-hospital medical service provider in Hong Kong*─EC Healthcare (the “Company”, together with its subsidiaries, the “Group”; HKEX stock code: 2138) responded to the investigation report published on November 14 by the PCPD regarding ” EC Healthcare’s Sharing of Clients’ Personal Data among its Various Brands through an Integrated System “.

Regarding the investigation report by the PCPD, we must clarify that the Group has not divulged the customer personal data of all brands under the Group to the front-line employees of all brands. The Group has set down limited access to personal data based on the functions of relevant employees and the operation need to serve clients (such as enquiring related service records, changing appointments and handling complaints, etc.). Despite different brands under the Group are using one integrated information platform, unless the customer’s consents are obtained, the Group prohibits any actions related to accessing, transferring, and using relevant clients’ medical records, diagnostic records and medical report among different brands. As for the individual cases mentioned in the investigation report by the PCPD, based on our internal investigations, there was no involvement on third-party data security leakage issues upon our Group’s completion of internal investigation. Group is still pending for further information from PCPD to review the relevant cases to enhance the relevant employee code of conducts and the information system design.

EC Healthcare is the largest non-hospital multi-specialty medical brand healthcare service provider in Hong Kong. To achieve our customer-oriented philosophy, the Group strive to provide seamless and premium healthcare management services and make it convenient and follow timely manner. The Group attaches great importance on protection of clients’ personal data privacy, and has been continuously improving data governance and client personal data management system and policy. Upon knowledge of the cases mentioned above, the Group actively cooperated with the PCPD and conducted internal investigations to incessantly improve the strict standards to protect clients’ personal data.

The Group’s business model comprised of M&A and empowerment via corporatization, such model is unique in the market. In view of this unique business model, we have invested millions of capitals to enhance data governance and customer personal data operation processes. In addition, we’ve hired renowned international professional consulting companies to review and structure the data governance frameworks, management systems, policy setting, training systems, optimize access management for data and client personal data.  The Group also invited the PCPD professionals to conduct relevant training for the Group’s employees in January this year to strengthen the management and employees’ understanding of relevant laws and guidelines.

In recent years, the Group grow rapidly through continuous M&A of different premium medical brands, and deliver open and transparent communication with the public through multiple channels (such as announcements on the Stock Exchange, display of relevant brand trademarks in service premises, updates on the Group’s privacy policy on the Group’s brand websites, etc.) to communicate with public for the Group’s acquisition and business development. Clients of the Group serve the right to accept or cancel relevant marketing activities at any time.

Regarding the enforcement notice and related recommendations of the PCPD, the Group has submitted relevant improvement action plans to the PCPD in September this year, the plan include strengthened the relevant professional training system, provide internal training, assessment and regular spot checks for all employees. The Group is looking forward to receive further enforcement guidelines and case sharing from PCPD to jointly enhance privacy data processing and governance. The Group will continue to strive to strengthen the corporate governance and operating system level of our diversified business models, and protect clients’ personal data with the most stringent standards.