Thai Health Ministry presses charges against hospital database hacker

The Ministry of Public Health (MOPH) announced it is pressing charges against the hacker who has obtained and sold personal data from a hospital database in Thailand.

The Ministry of Public Health is pressing charges against the hacker leaking personal information from a hospital database, confirming the incident is not a ransomware attack, and that no sensitive information has been leaked.

The Ministry of Public Health (MOPH) today announced it is pressing charges against the hacker who has obtained and sold personal data from a hospital database in Thailand.

This response from the Health Ministry comes after an offer posted on 5th September posted in an online forum to sell a set of data containing 16 million records hacked from a hospital in Thailand.

The Deputy Permanent Secretary of Public Health, Dr Thongchai Keeratihattayakorn said today the investigation and initial damage assessment launched by the ministry shows the information leaked is a set of 10,095 patient records obtained from a hospital in Phetchabun province, including personal information such as names, addresses, and phone numbers.

The leaked data also includes hospital-related data such as shift rotations and appointment schedules. However, no information related to patients’ treatment is included.

Dr Thongchai said the ministry believes the hackers involved in the case are the same group as those behind the ransomware attack at Saraburi Hospital last year.

Dr Anan Kanoksilp, Director of the MOPH’s Information and Communication Technology Center, said today the hospital in this case is found to be using an open-sourced application requiring internet connection as part of its IT system, creating vulnerability to cyber-attacks.

To date, the hospital has disabled its connection to external networks, while its IT systems are still operational. The incident is also not a ransomware attack, where the hacker would encrypt the data preventing any access, and demand payment in exchange for the decryption key.

Dr Suttipong Wacharasindhu, Deputy Secretary General of the National Health Security Office, commented today that health-related personal information must be treated as confidential. The exposure of such information causing damage considered a breach of personal rights, an offense punishable by the National Health Act with up to six months imprisonment, a 10,000 baht fine, or a combined penalty.

Following the incident, the Ministry of Public Health has pressed charges with the police against the hacker.

Deputy Prime Minister and Minister of Public Health Anutin Charnvirakul, said today the ministry will be discussing the enhancing of cyber security measures, saying however that he believes each hospital already has adequate measures to safeguard patient information. (NNT)