A major personal data leak incident involving over 56,000 patients and staff has occurred in the Kowloon East Hospital Network managed by the Hospital Authority of Hong Kong. The police and the Hospital Authority held a press conference yesterday (8th) announcing the arrest of a 30-year-old local man in Tin Shui Wai, who claimed to be a system developer for an outsourced maintenance contractor. He is detained for investigation on suspicion of “dishonestly using a computer.”
The Hospital Authority emphasized that the system in question is not directly connected to the core “Clinical Management System” (CMS), and detailed medical records of patients have not been leaked.
Inspector Cheung Hiu Yee of the Cyber Security and Technology Crime Investigation Department (CTCID) stated that on April 3, the Hospital Authority found that unidentified individuals uploaded personal data of over 56,000 patients, including names, genders, Hong Kong identity card numbers, and a small amount of Hospital Authority staff names, to an online forum for download. The Authority promptly reported this to the police and cooperated with the investigation.
Inspector Lee Chun Man added that after receiving the report, CTCID conducted a comprehensive examination of multiple Hospital Authority systems with digital forensic and incident response team members. By analyzing logs and access records, they traced the leak to a contractor’s employee who accessed sensitive data remotely without authorization.
Lee further explained that the police conducted a raid on the contractor’s offices in Kwai Chung and the Science Park, seizing over 60 digital devices, including servers, computers, and storage equipment for digital forensics. The suspect was arrested for “dishonestly using a computer” and is currently under investigation. The police are delving into the suspect’s motives, potential financial gain, and involvement of other individuals in the case.
Echo Ha, Director of Strategic Development at the Hospital Authority, mentioned that the Authority’s monitoring system detected the breach around 2 a.m. last Friday (3rd). They promptly notified relevant enforcement and regulatory agencies and took various measures, including reviewing internal network systems to ensure operational security.
Ha noted that the contractor’s employee violated regulations and contractual provisions by downloading patient data onto non-Hospital Authority computers. The contractor is responsible for a system related to the operating theater at Kowloon East Hospital Network, involving personal data of patients needing surgery and related procedure information. The systems involved do not have access to complete patient medical records, only information relevant to the operating theater.
The Hospital Authority places a high priority on network security and patient privacy, having immediately suspended all contractor access to Authority systems. Any emergency maintenance by contractors now requires approval and supervision by Hospital Authority personnel, with regulatory procedures being thoroughly reviewed.
For the 56,000 affected patients, Yuen Ka Yee, IT Coordinator of Kowloon East Hospital Network, stated that the Authority has sent messages via the “HA Go” app to around 37,000 registered users. As for the remaining 18,000 unregistered patients, efforts are underway to contact them individually by phone. Approximately 9,000 patients have been reached, and over 18,000 registered letters have been dispatched. A hotline at 5215 7326 has been set up for public inquiries, with 300 queries handled so far.
When asked about the possibility of data leaks affecting other Hospital Authority networks, Cheung responded that investigations are ongoing, as substantial digital evidence requires time for forensic analysis.
Ha added that the contractor is also responsible for maintaining other network systems. The Hospital Authority has scrutinized both the entire system and the contractor’s systems, with no similar incidents or data breaches discovered to date, as surveillance measures have been reinforced.
Regarding the termination of contracts with the contractor, Ha mentioned that the Authority is reviewing contractual terms and legal advice to retain all rights for pursuit and follow-up actions, including relevant contractual and legal remedies.
The police stressed that leaked files were previously uploaded to an online forum for free download, cautioning citizens against downloading or sharing sensitive data to avoid potential criminal offenses such as doxxing. Affected individuals are advised to be vigilant against targeted fraudulent calls and seek assistance by calling the anti-scam hotline 18222 if suspicious. The police are also requesting platforms to remove the data.
Upon investigation, leaked data primarily originated from systems related to the operation and maintenance of the United Hospitals operating theater, including patient names, genders, ID numbers, birth dates, hospital file numbers, surgery details, as well as limited staff names and positions. The Hospital Authority CEO, Li Hsia Yan, reassured employees in a previous statement that the internal network is operating normally and unaffected by cyber attacks.