OT&P Healthcare apologises over data breach, 100k patients reportedly impacted

OT&P Healthcare, which operates eight clinics and employs over 200 staff across Hong Kong, has apologised to its patients after 100,000 clients' personal data and medical history were reportedly compromised amidst a data breach. 

According to SCMP, OT&P Healthcare CEO Robin Green said the cyberattack took place within the clinic’s management and operating system on 4 May, which holds both patient identity and medical records.

Green had no idea how much data was taken, as well as whether the attacker was able to download and save patient records and personal information. While the attacker did not gain access to patients’ financial information or bank details, the company CEO said that some patients’ Hong Kong identity card and passport numbers were stored on the system.

OT&P Healthcare then apologised to clients in an email and said it was working with a third-party forensics firm to assess the situation and reported to police, the Department of Health and the Office of the Privacy Commissioner for Personal Data (PCPD) for investigation. It added that normal services will resume, and warned patients to report suspicious emails appearing to be from OT&P, HKFP reported.

Don't miss: PCPD looks into data breach involving HK Golden Forum members

Commenting on the incident, Francis Fong Po Kiu, honorary president of the Hong Kong Information Technology Federation, told MARKETING-INTERACTIVE the leaked data can be misused in several ways, including damaging the reputation of the clinic, obtaining the personal information of those patients to commit fraud, blackmailing the clinic or even its patients.

Fong added that the company's current cybersecurity checks may be insufficient and the clinic should figure out the loophole of its security system. “For some companies, even though their systems are protected against cyberattack, some staff who use their own workstation may have malware threats. When they use their own workstation to access the company's data, the companies may be affected by data breach as well," Fong said.

Adding to Fong’s views is Ho Wa Wong, conveyor of Open Data Working Group, Internet Society Hong Kong, who said that it was hard to understand why the group failed to explain how much data was taken. The situation may refer that even the company itself has no idea who exactly has access to its own system.

“While the U.S. is adopting HIPAA (The Health Insurance Portability and Accountability Act of 1996) to protect sensitive patient health information from being disclosed without the patient's consent or knowledge, there’s only PCPD to  ensure the protection of the privacy of individuals, which is insufficient,” Wong said.

He added that since patients’ medical records may be leaked, it may subject them to unnecessary discrimination and harm.

MARKETING-INTERACTIVE has reached out to OT&P Healthcare and PCPD respectively for a statement.

Related articles:

HK privacy watchdog vows to monitor data privacy risks related to ChapGPT
PCPD issues enforcement notice to Institute of Bankers upon data leak
WhatsApp defends itself against 'data leak' allegations made by media report
Harbour Plaza Hotel data breach sees 1.2m customer data leaked