Hong Kong police have arrested a man suspected of stealing the personal data of more than 56,000 patients from a Hospital Authority (HA) computer system. The Hospital Authority logo. Photo: Tom Grundy/HKFP. On Wednesday, police identified the 30-year-old suspect as an employee of a systems maintenance contractor hired by the HA. He is accused of downloading patient data without authorisation.
The HA previously disclosed on Saturday that personal information belonging to patients – including names, genders, ID numbers and surgical procedure details – in the Kowloon East cluster was leaked onto a “third-party platform.”
During a press conference on Wednesday, officers from the Cyber Security and Technology Crime Bureau said the leak originated from two of the contractor’s offices in the New Territories.
Police raided the offices, seizing more than 60 digital devices, including servers and mobile phones. The suspect was arrested Tuesday in Tin Shui Wai on suspicion of “access to computer with criminal or dishonest intent.” Superintendent Ferris Cheung said investigators are still probing the suspect’s motive and possible accomplices.
Limited access to medical records
Tony Ha, the HA’s director for strategy and planning, said during the same press conference that the contractor was responsible for an operating room system used by the Kowloon East network.
“The system involved in this data leak only contained information related to surgical procedures,” Ha said in Cantonese. “The system and the contractor do not have full access to patients’ medical records.” Hospital Authority. File photo: Tom Grundy/HKFP. Following the breach, the HA conducted a comprehensive scan of its other systems and found no further irregularities, he said.
Ha added that all contractor access to HA systems had been suspended and that any emergency maintenance must now be carried out under the direct supervision of HA personnel. See also: Hong Kong privacy watchdog records 20% increase in data breaches – a third involve hacking Former lawmaker Michael Tien alleged on Saturday that the leak occurred at United Christian Hospital’s anaesthesiology department during a system upgrade on April 1. Ha declined to comment on this specific claim on Wednesday. He also defended the delay in public disclosure, saying the timing was coordinated with law enforcement.
Kenny Yuen, IT coordinator for the HA’s Kowloon East cluster, said the authority had notified more than 37,000 users via the HA Go mobile app. An additional 9,000 patients were informed by phone, and 18,000 letters were sent.
Officials urged patients to remain vigilant against potential scams and to report any suspicious calls to the authorities.