Patient data leak | Li Xiayin sends an email to employees suspecting unauthorized data theft

The Hospital Authority has experienced a data leakage incident involving patient information, affecting more than 56k patients in the Kowloon East Hospital Cluster.

In a letter to staff, the Hospital Authority’s Chief Executive, Li Hsia-yin, emphasized that patient data security is of utmost importance. After an initial review, the network system is operating normally, and there is no evidence at this time to suggest that a network attack is involved. The incident is suspected to be related to someone illegally stealing patient data, and the Hospital Authority will fully cooperate with the police in investigating the cause of the leakage.

The Hospital Authority’s regular monitoring system, at about 2:00 a.m. yesterday, detected that patient information had been leaked from a public hospital and was improperly uploaded to other platforms. The leaked data appeared in the form of computer raw files, including patients’ names, gender, identity card numbers, hospital file numbers, and surgery details, among other information. The data also includes a small number of employees’ names and job titles from the network cluster, but no employee identity card numbers or other personal information were found to be included.

The Hospital Authority attaches great importance to this matter and is handling it seriously. It has immediately reported the incident to the police and notified the Privacy Commissioner for Personal Data, and has also required the relevant third-party platforms to remove all leaked information.