Hospital Authority's statement regarding suspected incident of patient data being leaked on third-party platform
******************************************************************************************
The spokesperson for the Hospital Authority (HA) made the following statement today (April 4) regarding the suspected incident of patient data being leaked on a third-party platform:
The HA's routine monitoring system detected at around 2am yesterday (April 3) a suspected case of patient data being taken without authorisation and leaked on a third-party platform. The HA promptly reported the matter to the Police and the Office of the Privacy Commissioner for Personal Data in the morning, and will fully co-operate with the Police investigation and actions.
The more than 56 000 patients involved in the incident are from the Kowloon East Cluster. The leaked data contains information including patients' names, gender, Hong Kong identity card numbers, hospital file numbers, and details of surgical procedures.
The HA sincerely apologises to the affected patients and will take all practicable measures to minimise the impact on patients. The HA will notify the affected patients via the "HA Go" mobile application, mail and phone calls as soon as possible. The Kowloon East Cluster has also set up a dedicated hotline at 5215 7326 for patient enquiries. The hotline operates Monday to Sunday from 9am to 6pm. Patients may also leave messages outside of hotline operating hours and staff will respond as soon as possible.
The HA takes cybersecurity very seriously, and has conducted a thorough review of its internal network systems upon discovering the incident, confirming that the systems are operating normally and securely, with no indication of a cyberattack or similar factors. The HA immediately suspended the contractor's system maintenance work.
The HA has been continuously implementing various measures to strengthen its healthcare systems, including ongoing enhancements to cybersecurity safeguards, user security awareness, cybersecurity of critical infrastructure, as well as network monitoring and incident response capabilities. The HA will also collaborate with law enforcement agencies and cybersecurity organisations to enhance cybersecurity, so as to ensure appropriate protection of hospital operations, patient services, and personal data security. The HA also urges affected patients to remain vigilant and be alert to whether their personal data may be used for other purposes, take steps to protect their personal data such as changing passwords, and seek police assistance if necessary.
Ends/Saturday, April 4, 2026
Issued at HKT 14:58
Issued at HKT 14:58
NNNN