HA urged action on security and contractor oversight after 56,000+ patients’ data leaked

The Hospital Authority (HA) has been urged to promptly notify all affected individuals and conduct a comprehensive review of system vulnerabilities, including contractor risk‑management, following a data leak that exposed sensitive information of more than 56,000 patients from the Kowloon East Cluster.

The leaked data, including patients’ names, gender, Hong Kong identity card numbers, hospital file numbers, and details of surgical procedures, were reported to have been uploaded to a third-party platform on April 4. 

Speaking on a radio program on Monday, former Cluster Chief Executive of Kowloon East Cluster Luk Che-chung called the incident “serious” and “unacceptable.” He urged the HA to inform affected patients as soon as possible and to specify clearly which data were stolen.

Luk also questioned the leak of “original files,” arguing that no organization should permit staff to download records casually. He noted that internal access is strictly limited to staff who are currently responsible for that patient and have a legitimate clinical need. 

Finding the breach highly unusual, he urged HA to investigate whether the leak came from an insider or a contractor, and to review whether risk‑management measures for contractors were sufficient. 

While HA insisted that the incident did not involve a cyberattack, computer security expert Anthony Lai Cheuk-tung called the claim a smokescreen, warning that hackers monitor contractors serving Hong Kong organizations and exploit any weakness to seize data, even if they do not target the organization’s main network. 

Lai said “original files” are usually exported in bulk by vendors during maintenance, backups or testing. He suggested the leak likely resulted from a vendor export and said investigators should focus on whether the file was properly protected on the vendor’s server and who downloaded it. 

Both Luk and Lai said that HA and its contractors share responsibility for the breach. Lai also urged HA and other government departments to implement “jump servers” as an intermediary monitoring layer. 

Under this system, all contractor maintenance work would be routed through the server before accessing the main system, allowing for real-time recording, surveillance, and the ability to intercept suspicious activities instantly. 

Lai further called on departments to reassess their practices, arguing that accountability cannot be fully outsourced. He emphasised that organisations must ensure contractors meet their security standards and carry out frequent, high‑intensity monitoring.