Photo: xavierarnau/Getty Images
Hong Kong police have arrested a suspect over the unauthorised access and leak of personal data of more than 56,000 patients from the Hospital Authority.
In a statement on 4 April, the HA said its monitoring systems detected the breach at around 2 a.m. on 3 April, involving patient records from the Kowloon East Cluster that were later found posted on a third-party platform.
The leaked data included patients' names, gender, Hong Kong identity card numbers, hospital file numbers, and details of surgical procedures, it said.
According to a report by the Hong Kong Free Press, police said the 30-year-old suspect, an employee of a systems maintenance contractor engaged by the HA, is accused of downloading the data without authorisation and was arrested on suspicion of "access to computer with criminal or dishonest intent."
Investigators from the Hong Kong Police Force Cyber Security and Technology Crime Bureau said the leak originated from two contractor offices in the New Territories, where officers seized more than 60 digital devices, including servers and mobile phones.
According to the HA, the affected system, managed by the contractor, supported operating room functions and contained only surgical procedure-related data, without full access to patients' medical records.
The HA had reported the incident to the police and the Office of the Privacy Commissioner for Personal Data, and suspended the contractor's system maintenance work pending investigation.
Investigations are ongoing, including into the suspect's motive and any possible accomplices.
Meanwhile, HA said a review of its internal systems found they were operating normally with no evidence of a cyberattack, indicating the incident involved unauthorised data access rather than an external breach.
It has notified affected patients through the HA Go mobile app, phone calls, and mail, and set up a dedicated hotline to handle enquiries. It also urged vigilance against potential misuse of their personal data.
HA added that it will work with law enforcement and cybersecurity partners to strengthen safeguards.
THE LARGER TREND
Vulnerabilities in suppliers and service providers were identified as a key cybersecurity risk – particularly for critical infrastructure sectors such as healthcare – in Hong Kong, according to last year's cybersecurity outlook report by the Hong Kong Computer Emergency Response Team Coordination Centre. Other key risks include Internet of Things devices, large language models, and AI-generated malware and phishing content.
The latest healthcare data breach comes as Hong Kong pursues a series of digital health initiatives, including data standardisation, AI in cancer care, and cross-border electronic health record sharing, recently announced in Chief Executive John Lee Ka-chiu's fourth Policy Address.
