About 100,000 patients of Hong Kong healthcare group OT&P Healthcare may have had their personal data and medical history leaked due to a cyberattack that took place on the clinic’s management and operating system on 4 May 2023. The group has eight clinics across Hong Kong.
Furthermore, the incident was first noticed by the company’s internal IT department which alerted a third party to assess the situation. The system has been taken offline and is under forensic examination to assess the scale of the attack.
While no information on how much data was taken was given, some patients’ Hong Kong identity card and passport numbers were stored on the system. Patients’ financial information or bank details have not been accessed, according to OT&P Healthcare CEO Robin Green.
The case has been reported to the police, the Department of Health and the Office of the Privacy Commissioner for Personal Data, which is following up on the matter.
Additionally, all patients were notified of the attack via email on 6 May 2023. One of the patients affected expressed concern about her medical records being stolen and misused, and that the incident was a worrying data breach. The Office of the Privacy Commissioner for Personal Data has advised medical service providers to ensure that records are properly handled and data protection mechanisms are in place.
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, has highlighted the potential risks of obtaining such information, which could be used to damage the reputation of the clinic or to blackmail patients with serious illnesses.
The Hong Kong police have appealed to the public and businesses to take precautions such as installing security software and restricting internal sensitive data, while Fong recommends that all companies carry out regular cybersecurity checks every few months to ensure that their system can withstand such attacks.
The healthcare provider apologised for the incident and is conducting regular audits to review their policies and procedures.
