The Hospital Authority (HA) apologised on Saturday over a data breach that compromised the personal information of tens of thousands of patients, with the police and the privacy watchdog investigating the incident.

The authority said its routine monitoring system identified a breach in the early hours of Friday that resulted in patients' details being taken without authorisation and leaked on a third-party platform.

The incident affected more than 56,000 patients from the Kowloon East cluster, with leaked personal information including their names, gender, identity card numbers, hospital file numbers and details of surgical procedures.

"The HA takes cybersecurity very seriously, and has conducted a thorough review of its internal network systems upon discovering the incident, confirming that the systems are operating normally and securely, with no indication of a cyberattack or similar factors," it said in a statement.

"The HA immediately suspended the contractor's system maintenance work."

The authority also said it had reported the hack to the police and the Office of the Privacy Commissioner for Personal Data, and would contact patients affected by the incident.

"The HA sincerely apologises to the affected patients and will take all practicable measures to minimise the impact on patients," it said.

The police said officers from the cybersecurity and technology crime bureau are probing the breach, while the privacy watchdog also launched an investigation into the incident.



Edited by Thomas McAlinden