Personal data, medical history of 100,000 patients may have been leaked in cyberattack at Hong Kong group OT&P Healthcare | South China Morning Post
Personal data, medical history of 100,000 patients may have been leaked in cyberattack at Hong Kong group OT&P Healthcare
Cyberattack took place within OT&P Healthcare’s management and operating system, according to group CEO Robin Green
Green says some patients’ Hong Kong identity card and passport numbers were stored on the system
A cyberattack targeted OT&P Healthcare’s management and operating system. Photo: Handout
The personal data and medical history of about 100,000 patients at a Hong Kong healthcare group could have been leaked due to a cyberattack last Thursday, the operator has confirmed with the Post.
OT&P Healthcare CEO Robin Green on Monday said the cyberattack took place within the clinic’s management and operating system. “That system holds both patient identity and medical records. We have no idea … how much data was taken,” he said.
The group’s internal IT department noticed significant “system instability” on Thursday afternoon and called in a third-party experts to assess the situation, who advised that the system be taken offline immediately.
OT&P Healthcare CEO Robin Green. Photo: Handout
OT&P Healthcare CEO Robin Green. Photo: Handout
OT&P has a total of eight clinics in Central, Repulse Bay and Clear Water Bay, with about 100,000 patients.
The group said it had been informed by the experts that there had been a cyberattack, adding the system was currently under forensic examination to assess the scale of the attack.
Green said those responsible did not gain access to patients’ financial information or bank details. However, some patients’ Hong Kong identity card and passport numbers were stored on the system.
Risk of ChatGPT personal data leaks to be monitored: Hong Kong’s privacy watchdog
6 Apr 2023
When questioned whether the attacker was able to download and save patient records and personal information, Green said: “It’s all subject to forensic examination, but right now, we don’t know. But we certainly do know that they did have access to the system.”
The incident was reported to police, the Department of Health and the Office of the Privacy Commissioner for Personal Data.
The privacy commissioner said it was following up on the case.
EVERY SATURDAY
Hong Kong Update Newsletter
Our weekly round-up of the best news, stories and opinion from Hong Kong.
GET THE NEWSLETTER
By registering, you agree to our T&C and Privacy Policy
A spokesman of the Department of Health said it had received a notification of the incident on May 5, and is following up with OT&P. He added the group was registered under the Electronic Health Record Sharing System (eHR), a platform developed by the government to support two-way sharing among public and private healthcare providers.
“So far, there is no indication that any patient records on the eHR have been leaked or compromised. However, we have suspended the eHR account of OT&P until our investigation of all of its eHR-related activities is completed. We have also heightened security monitoring for any abnormalities,” the Department of Health and the Health Bureau said in a joint statement.
All patients were notified of the attack via email on Friday.
One of the individuals suspected to have been affected by the records breach is a 45-year-old resident from England, who requested to remain anonymous for privacy reasons. She visited the clinic in Central last Friday, where she was told the internal computer system was “completely down”, including its printing receipts function.
Hackers gain access to personal data of over 290,000 hotel guests in Hong Kong
1 Oct 2022
The long-term Hong Kong resident, who runs her own consultancy business, said her two children and domestic helper were also patients. She expressed concern over the possibility of their medical information being stolen and misused.
“Obviously there are private and confidential details in there … It’s a worrying data breach and I’m concerned about where this information has gone and who has access to it,” she said.
“There is an email that has gone out and I commend [OT&P] on their quick response, but at the same time, as a patient there’s little else you can do about it.”
An OT&P Healthcare clinic. Photo: Handout
An OT&P Healthcare clinic. Photo: Handout
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said the data could be misused in several ways.
“Firstly, obtaining this kind of information could be used to damage the reputation of the clinic. Secondly, it could also be used to blackmail patients with serious illnesses or health concerns that they don’t want to be made public.”
The Office of the Privacy Commissioner for Personal Data also said medical service providers needed to ensure that such records were properly handled and data protection mechanisms were in place.
It added that customers who may have been victims of cyberattacks should monitor their accounts and transactions and be wary of websites that ask for personal information.
Police have appealed to the public and businesses to take precautions, such as installing security software, deploying a multilayer information defence mechanism, as well as restricting and managing internal sensitive data.
WhatsApp dismisses report of data leak involving nearly 3 million Hongkongers
27 Nov 2022
Fong recommended that all companies carry out regular cybersecurity checks every few months to ensure that their system can withstand such attacks, which Green said OT&P does regularly.
“We do conduct regular audits and bring in outside parties to review our policies and our procedures,” Green said. “The advice that we had when this was last conducted was that the protection that we had in place was adequate for the purposes at that time.
“We are extremely sorry [that this has happened]. We want to provide our patients with all the support that we can in the circumstances, and we are doing everything we possibly can to mitigate what is an extremely difficult situation,” he said.
Green added an internal team has been established to answer questions from the group’s patients and he was also dealing with concerns directly.
Cyberattack took place within OT&P Healthcare’s management and operating system, according to group CEO Robin Green
Green says some patients’ Hong Kong identity card and passport numbers were stored on the system
A cyberattack targeted OT&P Healthcare’s management and operating system. Photo: Handout
The personal data and medical history of about 100,000 patients at a Hong Kong healthcare group could have been leaked due to a cyberattack last Thursday, the operator has confirmed with the Post.
OT&P Healthcare CEO Robin Green on Monday said the cyberattack took place within the clinic’s management and operating system. “That system holds both patient identity and medical records. We have no idea … how much data was taken,” he said.
The group’s internal IT department noticed significant “system instability” on Thursday afternoon and called in a third-party experts to assess the situation, who advised that the system be taken offline immediately.
OT&P Healthcare CEO Robin Green. Photo: Handout
OT&P Healthcare CEO Robin Green. Photo: Handout
OT&P has a total of eight clinics in Central, Repulse Bay and Clear Water Bay, with about 100,000 patients.
The group said it had been informed by the experts that there had been a cyberattack, adding the system was currently under forensic examination to assess the scale of the attack.
Green said those responsible did not gain access to patients’ financial information or bank details. However, some patients’ Hong Kong identity card and passport numbers were stored on the system.
Risk of ChatGPT personal data leaks to be monitored: Hong Kong’s privacy watchdog
6 Apr 2023
When questioned whether the attacker was able to download and save patient records and personal information, Green said: “It’s all subject to forensic examination, but right now, we don’t know. But we certainly do know that they did have access to the system.”
The incident was reported to police, the Department of Health and the Office of the Privacy Commissioner for Personal Data.
The privacy commissioner said it was following up on the case.
EVERY SATURDAY
Hong Kong Update Newsletter
Our weekly round-up of the best news, stories and opinion from Hong Kong.
GET THE NEWSLETTER
By registering, you agree to our T&C and Privacy Policy
A spokesman of the Department of Health said it had received a notification of the incident on May 5, and is following up with OT&P. He added the group was registered under the Electronic Health Record Sharing System (eHR), a platform developed by the government to support two-way sharing among public and private healthcare providers.
“So far, there is no indication that any patient records on the eHR have been leaked or compromised. However, we have suspended the eHR account of OT&P until our investigation of all of its eHR-related activities is completed. We have also heightened security monitoring for any abnormalities,” the Department of Health and the Health Bureau said in a joint statement.
All patients were notified of the attack via email on Friday.
One of the individuals suspected to have been affected by the records breach is a 45-year-old resident from England, who requested to remain anonymous for privacy reasons. She visited the clinic in Central last Friday, where she was told the internal computer system was “completely down”, including its printing receipts function.
Hackers gain access to personal data of over 290,000 hotel guests in Hong Kong
1 Oct 2022
The long-term Hong Kong resident, who runs her own consultancy business, said her two children and domestic helper were also patients. She expressed concern over the possibility of their medical information being stolen and misused.
“Obviously there are private and confidential details in there … It’s a worrying data breach and I’m concerned about where this information has gone and who has access to it,” she said.
“There is an email that has gone out and I commend [OT&P] on their quick response, but at the same time, as a patient there’s little else you can do about it.”
An OT&P Healthcare clinic. Photo: Handout
An OT&P Healthcare clinic. Photo: Handout
Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation, said the data could be misused in several ways.
“Firstly, obtaining this kind of information could be used to damage the reputation of the clinic. Secondly, it could also be used to blackmail patients with serious illnesses or health concerns that they don’t want to be made public.”
The Office of the Privacy Commissioner for Personal Data also said medical service providers needed to ensure that such records were properly handled and data protection mechanisms were in place.
It added that customers who may have been victims of cyberattacks should monitor their accounts and transactions and be wary of websites that ask for personal information.
Police have appealed to the public and businesses to take precautions, such as installing security software, deploying a multilayer information defence mechanism, as well as restricting and managing internal sensitive data.
WhatsApp dismisses report of data leak involving nearly 3 million Hongkongers
27 Nov 2022
Fong recommended that all companies carry out regular cybersecurity checks every few months to ensure that their system can withstand such attacks, which Green said OT&P does regularly.
“We do conduct regular audits and bring in outside parties to review our policies and our procedures,” Green said. “The advice that we had when this was last conducted was that the protection that we had in place was adequate for the purposes at that time.
“We are extremely sorry [that this has happened]. We want to provide our patients with all the support that we can in the circumstances, and we are doing everything we possibly can to mitigate what is an extremely difficult situation,” he said.
Green added an internal team has been established to answer questions from the group’s patients and he was also dealing with concerns directly.
