Hong Kong’s Hospital Authority bars all contractors’ access to data after leak

Hong Kong's Hospital Authority has taken the drastic step of suspending all external contractors' access to its patient data systems following a significant security breach at United Christian Hospital. The leak, which is now under police investigation, exposed the sensitive personal information of more than 56,000 patients. The compromised data included highly personal details such as full names, Hong Kong identity card numbers, genders, dates of birth, hospital visit dates, and specifics of surgical procedures performed. Over 1,000 Hospital Authority employees were also caught up in the breach, though the exact nature of their exposed data was not detailed.

In response to the incident, the authority announced a suite of emergency security measures on Thursday. Beyond the blanket suspension of contractor access, the new protocols include deploying internal staff to directly supervise any emergency system maintenance performed by external parties. This supervision is explicitly designed to prevent illegal data downloads. The authority is also considering barring the contractor firm responsible for the leak from bidding on any future projects, though it has declined to comment on whether existing contracts will be terminated or if any staff will face disciplinary action, citing the ongoing police probe. This incident highlights the critical vulnerabilities in third-party data handling within essential public services and the severe consequences of such lapses.