The Digital Economy and Society (DES) Ministry has urged all state agencies to raise their cybersecurity standards for data protection, especially provincial hospitals that need to connect their systems with the Computer Emergency Response Team for threat monitoring.
The move came after a user on raidforums.com, a database sharing and marketplace forum, on Sunday attempted to sell 16 million records of patients' data claimed to have been hacked from the Public Health Ministry.
The Public Health Ministry clarified on Tuesday that the data was hacked from Phetchabun Hospital but it was not the primary database the hospital used to provide public services.
The hospital insisted the data involves around 10,000 patients and it does not contain medical or diagnosis information.
According to DES minister Chaiwut Thanakamanusorn, the hacked database was used in an internal web-based application developed by Phetchabun Hospital, which is not up to security standards.
This budget app has been used since last year to contact patients and follow-up on their conditions. It is linked to the internet network.
According to Mr Chaiwut, the DES Ministry and the National Cyber Security Agency are working together to check whether the hospital breaches personal data protection standards and track down the perpetrators.
He said all organisations, especially state agencies, need to bolster their online defence and provide cooperation in cybersecurity protection following an uptick in cyberattacks.
The Public Health Ministry should also have a centralised data system and applications for their agencies to ward off security risks and support monitoring, he said.
"The problem that happened with Phetchabun Hospital has been tackled by withdrawing the web app and blocking internet access from outside," Mr Chaiwut said.
State agencies and corporates should provide good care of their operations and boost staff awareness about cybersecurity as well as comply with the Personal Data Protection Act (PDPA) and other related regulations.
State agencies must have their database systems and apps centralised for the sake of monitoring threats.
According to the DES Ministry, the leaked patient data from the hospital includes identification numbers of patients, the names of their doctors and nurses, telephone numbers, addresses, birth rates and rights for medical treatment.
The data involved 10,095 inpatients, 7,000 outpatients, 39 ID numbers of doctors, 629 patients subject to surgery cost calculation and 795 patients in field hospitals.
Mr Chaiwut said the Cybersecurity Act, the Computer Crime Act and the PDPA will be used stringently to deal with cyber threats.
The DES Ministry ushered in the personal data protection standard in July 2020, based on the PDPA.
Data controllers must maintain minimum standards for data access and security measures and create staff awareness of personal data protection, he said.
Based on the Computer Crime Act's Section 7, those who gain illegal access to data could face a jail term of two years or a fine of up to 40,000 baht, or both, Mr Chaiwut said.
