The Hospital Authority (HA) has experienced a major data breach involving personal information of more than 56,000 patients and a small number of HA staff. The leaked data includes names, identity card numbers, gender, dates of birth, hospital numbers, appointment dates, and health information. The data was stolen and posted on the dark web. Police have arrested a system developer employed by an outsourced system maintenance contractor, suspected of illegally downloading patient and healthcare worker data.
HA Director (Strategy and Planning) Tony Ha said on a radio program today (April 9) that the contractor was responsible for maintaining a surgical operations system in the Kowloon East Cluster. Normally, contractors do not need to access patient data, and any such access requires prior HA authorization through established procedures. In this incident, the contractor obtained patient data without authorization, which was illegal and highly inappropriate.
When asked whether the patient data was encrypted, Ha said the case is under police investigation, and details cannot be disclosed. He did not directly answer whether the breach revealed any system vulnerabilities but stated that HA had detected the incident promptly, strengthened routine monitoring, and conducted a comprehensive review of internal clinical systems. No further data leaks were found. The contractor's system maintenance work has been suspended, and any necessary work will be carried out under supervision.
Ha said HA has set up a hotline for affected patients. So far, over 30,000 patients have been notified via the HA Go mobile app, and another 18,000 have been called. Of those, 10,000 have been reached, and the rest will receive letters. HA will assist those in need.
Legislative Council member Elizabeth Quat, also appearing on the same program, expressed shock at the incident. She noted that the leaked data had been downloaded over 8,000 times on the dark web, posing serious risks to citizens' privacy and daily lives. She urged HA to contact all affected patients as soon as possible, especially the elderly, who may not check the app.
Quat questioned why HA's internal monitoring was strict, but its oversight of contractors appeared lax. She noted the lack of real-time monitoring systems that could flag or block unauthorized or off-hours logins, calling this a major loophole. She emphasized that outsourcing system services does not offload the responsibility for protecting privacy. Contractors should undergo rigorous background checks, and the fact that an unauthorized person could access and download data indicates a fundamental problem with the system's security awareness.
(Source: Wen Wei Po)
Related News:
'King Maker III' contestant Jensen posts resuscitation photo online: Hospital Authority follows up
Comment