IT governance aims at risk mitigation and business value delivery. Human resources are important assets of organization but also can be key factor of the threat and vulnerability which may harm that system. Personal information has two sides as the most valuable asset of organization and the target to be protected by the privacy law. The law strictly restricts use of personal identifiable information and sensitive information within narrow limits. To achieve the primary goal, medical treatment, healthcare organizations must deal with personal information. This study is to investigate inherent vulnerability through research survey of hospital staffs who manage information and to examine whether personal health information is safe from threat. 70% of respondents use weak password and one third of them share their password with others. 50.6% of respondents set password for access operating system and only 31.2% log out when not in use. 48.5% save confidential information in their personal storage and only one fourth execute encryption.