It is shocking to learn that hackers managed to crack into the database of a state hospital in Phetchabun and make a profit from selling the information of thousands patients on the dark web.
Yet it is not the first time that state hospitals have been targeted by hackers. In September last year, Saraburi Hospital's database was attacked in the same manner.
Also yesterday, another hospital, the Bhumirajnakarin Kidney Institute in Bangkok was another victim, with the hackers demanding a ransom in exchange for the records of 40,000 patients.
Equally shocking is the reaction of state agencies. In response to the attack on the hospital in Phetchabun, Public Health Minister cooly said the stolen data contained general, not classified, information.
His answer reflects the small priority the Public Health Ministry attaches to the issue of cyber security, despite the fact the ministry has in its hands the personal data of all Thai citizens.
In a country with a reliable safeguard against cyber attacks, patients whose personal data is compromised must be informed of such breaches, so they can act to keep their private data secure, for instance, by changing their passwords. In regions with strong laws on personal data protection, those responsible for allowing such breaches to occur will face investigation and compensate consumers for putting them at risk of identity theft.
But Thailand has neither strong cyber security safeguards nor data protection regulations. Despite the Cybercrime Act being in place for two years now, there is still no organic law which would enable real action. Meanwhile, the enforcement of the Personal Data Protection Act (PDPA) has been pushed back another year.
As such, the government's inadequate response to the breach, or any other hacking in the past, wasn't really a surprise. Yesterday, in a knee-jerk reaction, the ministry said it would set up its own cybercrime unit to provide an immediate response to future breaches. The latest incident confirmed how hollow the government's aspirations to be an e-government and how baseless the Thailand 4.0 campaign are.
It's an open secret that state agencies receive only a meagre budget for cyber security. But the budget problem is not only limited to state hospitals. Other ministries, even private companies, are short on budgets to spend on cyber security infrastructure.
The government needs to prioritise and allocate more budget for cybercrime prevention. The hacking of state hospitals were just a prelude, as cyber criminals now know how vulnerable Thai databases are. Needless to say, recent attacks against the public and private sectors indicate that data leaks and digital threats will become ever more commonplace in the years to come.
Indeed, many public institutes and private companies have fallen victim to cyber attacks in the past few years. It was reported that the data of some 30 million people in Thailand, including their national identity card details, telephone numbers, addresses and birth dates, have been hacked. Without laws such as the PDPA to protect consumers, companies and government agencies can decide to seal their lips to protect their reputation, to the detriment of consumers.
The government can set a precedent by turning the latest incident into an opportunity. The Public Health Ministry must inform patients and provide help to safeguard their data. A probe must be launched and the results should be made public. It's impossible to root out hackers overnight, so what the authorities can and should do right away is protect consumers.