On Tuesday, Thai Public Health Minister Anutin Charnvirakul revealed that the personal data of 16 million patients, including their addresses and telephone numbers, had been stolen from the ministry’s database.
The attack came to light after a popular social media page posted a message saying the leaked information was for sale on Raidforums.com for $500.
The stolen data included identification codes, the patients’ addresses, telephone numbers, their hospitals’ names, date of birth, doctors’ information, and passwords for hospital systems.
Raidforums.com had successfully hacked a prominent e-commerce website in the past, the post added.
According to Mr. Anutin, related officials began investigating the hacking case, which initially took place in Phetchabun province. Revealing confidential information is a crime and a violation of the Computer Crimes Act and the National Health Act Section 7, he went on.
“Once the hacker is found, we will take legal action till the end because this has caused damage to the ministry and patients,” he said.
Meanwhile, provincial officials described hacked information as “not important” when speaking of the theft of over 10,000 patients’ personal data at Phetchabun Hospital.
Phetchabun’s governor Krit Kongmuang was one of the first officials to respond to initial social media reports that 16 million patients’ data from the Public Health Ministry had been hacked. Citing the province’s public health office, he stated that data from the local hospital had been lost but did not involve nearly 16 million patients.
Mr. Krit said it was not important as the leaked data comprised only patient admissions and discharge records.
However, he said that an investigation would be launched and legal action would be taken, adding that the provincial health office did not know if the hackers had used the stolen information.
Dr. Anant Kanoksilp, information technology director at the Public Health Ministry, revealed that the hacked web-based database used open-source software and was vulnerable. The attacker did not hack into other servers used by the hospital, he added.
The hacker did not demand any ransom from the hospital. Also, the attacked server was disconnected from the outside, Dr. Anant explained.
According to Sutthipong Wasusophaphon, deputy secretary-general of the National Health Commission, personal health data is confidential and cannot be disclosed outside legal parameters.
Breaching the norm can violate individuals’ rights. Therefore, offenders can be punished with a prison term of up to six months and fined 10,000 baht under the National Health Act, he went on.