Hacked hospital patients' data 'not important'

Hacked hospital patients' data 'not important'

Phetchabun Hospital lost
Phetchabun Hospital lost "unimportant" patient data to a hacker, officials admitted Tuesday. (Photo: Sunthorn Kongwarakom)

PHETCHABUN: Officials have rushed to downplay the theft by a hacker of more than 10,000 patients' personal details from Phetchabun Hospital, describing the information as "not important".

Phetchabun governor Krit Kongmuang was among those who responded to initial reports on social media that the data of 16 million patients of the Public Health Ministry had been hacked and put up for sale on Sunday.

On Tuesday morning Mr Krit quoted the Phetchabun public health office as reporting that data was lost from Phetchabun Hospital, but involved nowhere near as many as 16 million patients.

It was only records of patient admissions and discharges, he said. It was not important.

"There will be an investigation and legal action," the Phetchabun governor said.

The provincial health office did not yet know if or how the stolen information was used, he said.

Reports on social media said the personal information of about 16 million patients of the Public Health Ministry had been stolen and put up for sale for US$500, to be paid in a crypto currency.

Dr Thongchai Keeratihattayakorn, deputy permanent secretary for public health, said at the Public Health Ministry in Nonthaburi in the afternoon that the hacked information was not in the primary database the hospital used to provide public services, and the hospital continued to operate as normal.

The details were in files stored on a separate server used by hospital staff in their daily tasks, he said.

"It did not contain information about patient treatment or results of laboratory tests," Dr Thongchai said.

"It only showed if doctors' inspection charts were completed. The data relates to 10,095 patients and includes names, family names, dates of admission and discharge," Dr Thongchai said.

He then admitted the stolen data also included diagnoses of patients' symptoms.

Possible damage included misuse of the stolen names, family names, phone numbers and medical welfare details, he said.

Hacked information also included databases of patient appointments, names, family names and phone numbers, along with doctors' shifts and the cost of orthopaedic surgery for 692 patients at the hospital.

The risks posed by the theft were still being studied. The data was backed up. The  hospital's information system was being examined, Dr Thongchai said.

He apologised for the incident.

Dr Anant Kanoksilp, information technology director at the Public Health Ministry, said the web-based database that was hacked used an open source programme and was vulnerable. Other servers used by the hospital were not hacked, he said.

The attacked server had been disconnected from the outside and the attacker had not demanded any ransom from the hospital, Dr Anant said.

Sutthipong Wasusophaphon, deputy secretary-general of the National Health Commission, said that personal health data was confidential and could not be legally disclosed except under specific conditions.

Breaches could cause damage and infringe on individuals’ rights. Penaties included a prison term of up to six months and/or a fine of 10,000 baht under the National Health Act, he said.

Do you like the content of this article?