A cybersecurity expert has expressed concern about data leakage in the healthcare sector, from local hospitals to the ministerial level, following a series of major data leaks.
The latest high-profile case happened on Oct 7 when there was a posting on raidforums.com, a database sharing and marketplace forum, offering data on 100,000 people from Thai hospitals.
This came one month after a user posted on the same website offering to sell 16 million records of Thai patients' data.
Referring to the Oct 7 case, Dr Sutee Tuvirat, a physician and a certified information systems security professional, told the Bangkok Post that the data could have been leaked from the Public Health Ministry.
He said the 100,000 individuals' data is from 11 hospitals, which suggests data could have been leaked from regional or central authority levels.
The responsible agencies cannot deny responsibility even though the Personal Data Protection Act has not yet come into full force, he said, adding that the victims should at least be warned about the breach.
The data can be used by perpetrators to open bank accounts for money laundering or to commit crimes, and the victims are at risk of facing criminal charges without their knowledge, Dr Sutee said.
Organisations responsible for data leaks need to take full responsibility in terms of compensation and other rehabilitation measures, he added.
In Singapore, if a data breach happens in its public health service, there will be an inquiry and a public report made. "In Thailand, we may try to make things quiet and let it disappear," Dr Sutee said.
Meanwhile, the National Cyber Security Agency (NCSA) indicated that the Oct 7 case concerns data leaked from the Sisaket Provincial Public Health Office.
Group Captain Amorn Chomchoey, acting deputy secretary-general of the NCSA, said the healthcare sector was one of hackers' top targets while some local hospitals were found to have only one cybersecurity officer to take care of 200-500 computers at their facilities.
The NCSA has been working with the Ministry of Digital Economy and Society and Dr Bordin Sapsomboon, a member of the National Cybersecurity Committee, in promoting the Hospital Accreditation Information Technology (HAIT) standard in order to raise IT security practices among hospitals. Hospitals in possession of HAIT will receive financial incentives.
"We need to have guidelines to assist public hospitals," he said.
According to Gp Capt Amorn, the agency found at least 20 cases in which hackers used web servers used by state agencies to create fake websites to lure victims into filing important data.
He said that Thailand still does not have a clear structure to compensate victims when their data is misused. In other countries, so-called credit watch operators will be hired by companies to check whether their customers' data has been compromised, and compensation is given when breaches happen.
