The personal data of more than 56,000 patients has been compromised in a significant data breach at the Hong Kong Hospital Authority (HA), which has now been reported to the Office of the Privacy Commissioner for Personal Data (PCPD).
The PCPD confirmed that it has been notified of the incident and has launched an investigation in accordance with its established procedures.
The leaked personal information includes sensitive details such as patients' names, identity card numbers, gender, dates of birth, hospital numbers, appointment dates, and other health-related information.
The privacy watchdog has issued a public reminder for potentially affected individuals to remain vigilant.
The public is advised to be cautious of suspicious calls, text messages, or emails from unknown sources and to avoid opening attachments, clicking on links, or disclosing personal data without verification.
The HA stated that its routine monitoring system detected a case of suspected unauthorized access and leakage of patient data on a third-party platform in the early hours of yesterday.
Emphasizing that it takes the matter very seriously, the HA has reported the incident to the police.
The authority also noted that it has already reviewed its internal network systems and confirmed that they are operating securely and normally.
The HA has pledged to fully cooperate with the police investigation and will be contacting the affected patients.
Lawmaker Rebecca Chan Hoi-yan pointed out that the incident was initially discovered through external monitoring rather than a proactive disclosure by the HA, with more detailed information coming from the Privacy Commissioner’s office than from the authority itself.
While initial reports suggested the leak affected approximately 56,000 individuals, data circulating online suggests the actual number of victims could exceed 200,000, prompting calls for the HA to clarify the true scale of the breach immediately.
The severity of the incident remains uncertain as officials investigate whether the leak stemmed from internal misconduct, employee negligence, or a sophisticated external hack.
Chan noted that while a localized leak from a single department would have a limited impact, a breach involving systemic security vulnerabilities or a hack of the central network could mean the number of affected patients is far higher than initially estimated.
She emphasized that the current level of public disclosure is inadequate and that the authority must determine if the breach occurred through a third-party vendor or a specific hospital cluster's network.
Notifying the vast number of potentially affected individuals presents a significant logistical challenge.
Lawmakers have suggested that if the HA cannot contact every patient individually in a short timeframe, it should utilize mass media channels to warn the public.
The primary concern is protecting patients from secondary harm, such as targeted fraud or financial loss. Because each patient's risk profile differs, the government is being urged to offer maximum assistance to those whose sensitive information has been exposed to prevent criminal exploitation of the data.
The breach has raised serious questions about the effectiveness of the HA's existing cybersecurity infrastructure.
Despite previous assurances to the Legislative Council regarding high-level security measures—including third-party monitoring, advanced firewalls, and data encryption—the current incident suggests a potential failure in these protections.
Critics argue that while the HA expressed great confidence in its systems, the evolving nature of cyberattacks means it cannot afford to underestimate the risks.
There are growing fears that such incidents will erode public confidence in digital health platforms like "eHealth" and "HA Go," which are essential for managing appointments, payments, and medical records.
In response to the recurring theme of data leaks across various public sectors, lawmaker Kitson Yang Wing-kit has called on the government to issue a uniform set of security guidelines for all public organizations.
He noted that hackers often gain entry through human error, such as employees clicking on phishing emails or malware links.
To prevent future breaches, he advocated for a more robust security culture and stricter operational protocols to ensure that the "digital walls" protecting citizen privacy are strong enough to withstand increasingly sophisticated global cyber threats.
