Hong Kong Police Arrest Suspect in 56,000-Patient Data Breach Case

Hong Kong authorities have arrested a suspect in connection with the unauthorised access and leak of personal data belonging to more than 56,000 patients under the Hospital Authority Hong Kong (HA).

The breach, detected in the early hours of April 3, involved patient records from the Kowloon East Cluster that were later found circulating on a third-party platform.

Sensitive Patient Data Exposed

According to the HA, the compromised data includes:

• Patient names and gender
• Hong Kong identity card (HKID) numbers
• Hospital file numbers
• Details of surgical procedures

The affected system, operated by a contractor, was used to support operating room functions and contained surgical-related data rather than full medical records.

Suspect Linked to Contractor System

The Hong Kong Police Force confirmed the arrest of a 30-year-old employee of a systems maintenance contractor engaged by the HA.

The individual is accused of downloading the data without authorization and is under investigation for “access to a computer with criminal or dishonest intent.”

Investigators from the Cyber Security and Technology Crime Bureau traced the breach to two contractor offices in the New Territories, where more than 60 digital devices—including servers and mobile phones—were seized as part of the investigation.

No Evidence of External Cyberattack

Preliminary findings indicate that the incident stemmed from unauthorized internal access rather than an external cyberattack.

The HA stated that its core systems remain secure and operational, with no signs of broader system compromise.

Response and Patient Notification

The incident has been reported to law enforcement and the Office of the Privacy Commissioner for Personal Data. The HA has also:

• Suspended the contractor’s system maintenance work
• Notified affected patients via its HA Go mobile app, phone calls, and mail
• Established a dedicated hotline for inquiries
• Urged patients to remain vigilant against potential misuse of their data

The authority said it is working closely with cybersecurity partners to strengthen safeguards and prevent similar incidents.

Broader Cybersecurity Concerns

The breach highlights ongoing vulnerabilities within third-party vendor ecosystems—a growing concern for critical sectors such as healthcare.

According to the Hong Kong Computer Emergency Response Team Coordination Centre, supplier and service provider risks remain among the top cybersecurity threats, alongside emerging challenges related to IoT devices, large language models, and AI-driven cyberattacks.

Digital Health Push Amid Rising Risks

The incident comes as Hong Kong continues to expand its digital health initiatives, including data standardization, AI-driven cancer care, and cross-border electronic health record integration.

As healthcare systems become more digitally connected, ensuring robust data protection and vendor oversight will be critical to maintaining patient trust and system resilience.