Reports Unauthorised Access and Leak of Patient Data – Over 56,000 Individuals Affected HKCERT Urges Enhanced Protection and Proactive Risk Management

(Hong Kong, 4 April 2026) The Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) has issued a security alert regarding a data leakage incident involving a local healthcare establishment. The Hospital Authority (HA) has reported that its routine monitoring system detected a suspected case of unauthorised access to patient data and subsequent leakage on a third-party platform at around 2:00 am on 3 April. The HA reported the case to the police and notified the Office of the Privacy Commissioner for Personal Data (PCPD) on the same morning. The incident involves over 56,000 patients from the Kowloon East Cluster. The leaked data includes patients' names, genders, Hong Kong identity card numbers, hospital file numbers, and information on surgical procedures performed. The HA has emphasised that the incident does not involve a cyber attack and has immediately suspended the contractor's system maintenance work. The HA will fully cooperate with the police investigation and will notify affected patients via the "HA Go" mobile application, by post, and by telephone.

HKCERT reminds the public that leaked information could be exploited by malicious actors for cybercrimes including identity theft, phishing attacks, social engineering fraud, and extortion. Considering the potential long-term risks such incidents pose to individuals and organisations, HKCERT strongly advises both organisations and the public to adopt proactive defence strategies to enhance their overall security posture:

For Individuals:

1. Beware of phishing and social engineering attacks: Exercise caution when handling suspicious emails, messages, or phone calls. Do not readily provide personal or login information and stay alert to potential phishing and social engineering attacks that may leverage leaked data.
2. Monitor personal identity and financial activities: Regularly check bank accounts, credit cards, and medical records for any unfamiliar login records, unusual access, or unauthorised transactions.
3. Enable Multi-Factor Authentication (MFA): Activate MFA for all important online accounts, including healthcare platforms, banking, and public services.
4. Change passwords regularly: Use strong, unique passwords for important accounts and avoid reusing the same password across multiple services.
5. Check device security: Install antivirus software on computers and mobile devices, perform regular scans, and remove potential threats.
6. Stay informed on security news: Follow HKCERT's latest security alerts and advice to receive real-time threat notifications.
7. Seek assistance: If you discover that your personal data has been leaked, report it to HKCERT and the Office of the Privacy Commissioner for Personal Data (PCPD) for assistance.
    

For Organisations:

1. Strengthen the oversight of contractors' and vendors' cybersecurity measures: Establish cybersecurity policies and standards for suppliers and incorporate cybersecurity requirements into supplier quality assessment items and contract terms, mandating strict compliance by suppliers. Regularly audit the security risks of third-party systems and data processing procedures to ensure that outsourced partners continuously meet security standards and contractual obligations, thereby reducing external risks. For third-party system access permissions, adopt the principle of least privilege, and consider solutions such as privileged access management and time-limited access to enhance the protection of sensitive data and core systems.
2. Strict data access management: Restrict access to sensitive data (e.g., medical records, identity information). Regularly review and update access permissions and ensure that third-party access is monitored.
3. Data encryption and protection: Use strong encryption for data both at rest and in transit to prevent interception or leakage.
4. Establish a data breach response plan: Include incident reporting, risk assessment, notification of affected parties, and remediation measures. Coordinate response efforts with suppliers.
5. Regular audits and monitoring of third-party activities: Deploy monitoring systems to detect unusual data access behaviour and maintain complete audit logs.
6. Training for all staff and contractors: Provide training on cybersecurity, data protection, and compliance to reduce the risk of data breaches caused by human error.
7. Regular data backups: Ensure backup data is stored securely and encrypted to enable rapid system recovery following an incident.
8. Continuous security awareness enhancement: This includes regularly reviewing security policies, updating protective measures, and staying informed of the latest cybersecurity information and advice from HKCERT.
9. Multi-Factor Authentication (MFA) and account security: Although this incident did not involve a cyber attack, it is still recommended to enable MFA for system administration accounts and databases to prevent unauthorised logins.
10. Report cybersecurity incidents: If an organisation detects a system intrusion, it may report to HKCERT for assistance. If the incident involves personal data, it should be immediately reported to PCPD.
     

Businesses or members of the public who wish to report to HKCERT on cybersecurity related incidents such as malware, phishing, denial of service attacks, etc. may complete the online reporting form at: https://www.hkcert.org/zh/incident-reporting, or call the 24-hour hotline at 8105 6060. For further enquiries, please contact HKCERT by email at hkcert@hkcert.org.

-Ends-