Police said they have arrested a man working for a contractor commissioned by the Hospital Authority for allegedly stealing the personal data of tens of thousands of patients.

The data breach resulted in details of more than 56,000 patients from the Kowloon East Cluster being taken without authorisation and leaked on a third-party platform.

Officers said the 30-year-old suspect, who worked as a system developer for the contractor, was arrested on suspicion of access to computer with dishonest intent after analysing the system's logs.

Cheung Hau-yee, superintendent of the force's cybersecurity and technology crime bureau, said officers are trying to establish a motive for the data breach.

"We noticed that files of the leaked data were put online. We and the Hospital Authority's IT department are actively working to request the relevant platforms to remove the relevant information," she said.

Tony Ha, the authority's director of strategy and planning, said the contractor was responsible for a system related to operating rooms of the cluster's hospitals.

"The system contained the personal data of patients requiring surgery and details of surgical procedures, among other information. The system involved in this case is not connected with the clinical management system. The system in question only involves information relating to the operating room," he said.

"Neither the system nor the contractor is authorised to access the complete medical records of patients."

Ha also said the authority had suspended all contractors from accessing its systems, and that any emergency maintenance would require the approval and supervision of the authority.


Edited by Edmond Fong