PDPC levies fines of B15m in 5 data breach cases

Out in the open: Patient files that had been sent for destruction were instead made into paper pouches to hold 'khanom Tokyo' snacks, the data protection watchdog discovered.

The Office of the Personal Data Protection Committee (PDPC) has imposed fines worth over 15 million baht in five cases involving serious breaches of personal data including the leak of patient medical records from a major private hospital, says its secretary-general, Pol Col Suraphong Plengkham.

The hospital incident drew wide public attention after photos surfaced online showing snacks wrapped in discarded patient documents.

The PDPC probe found the hospital subcontracted a family-run business to destroy sensitive documents but the contractor failed to follow proper procedures and inform the hospital of the breach.

More than 1,000 pages of health records were leaked during the disposal process.

As a result, medical records which are classified as "sensitive personal data" under Section 26 of the Personal Data Protection Act were not properly destroyed. The hospital was fined 1,210,000 baht while the contractor was fined 16,940 baht.

In another case, a state agency was fined 153,120 baht after a cyberattack compromised its web application. Personal data belonging to more than 200,000 individuals was stolen and offered for sale on the dark web.

The PDPC investigation found the state agency failed to implement adequate cybersecurity measures, conduct risk assessments, or sign a data processing agreement with the system developer. The developer was also fined 153,120 baht.

The three other cases involved retail and e-commerce businesses.

One computer and accessory company was fined 7 million baht, a cosmetics firm 2.5 million baht and a collectible toy seller fined 500,000 baht, with its data processor fined an additional 3 million baht.