The Hospital Authority (HA) on Thursday pledged to tighten security measures and conduct a holistic review of its vendor management to reduce risks of data breach.

This follows the arrest of a contract worker earlier this month, in suspicion of accessing the personal data of more than 56,000 patients before leaking them online.

The HA stressed that the breach was an isolated incident involving a violation of contract terms during system repair work.

"We are reviewing the entire contractual system with all Hospital Authority suppliers to see if there are any overlooked areas," said lawmaker Duncan Chiu, who chairs the HA’s Information Technology Services Committee.

"In this case, the liability for data theft is covered in our agreement with the supplier. We will now holistically examine our relationships with all vendors."

Chiu also pointed out that the authority's Clinical Management System - which contains comprehensive patient medical records - was not affected.

He noted that the data was stolen from a vendor-supplied subordinate system used for surgical documentation, which contains limited personal details without any contact information such as addresses and phone numbers.

Clara Cheung, Chief Information Officer of the HA, said that as an immediate remedial measure, the authority had tightened access for all vendors to vendor-supplied systems.

"Except for emergency operational needs, then they can apply and we will have an approval and monitoring process to make sure that they are doing their maintenance work professionally," she explained.

Cheung added that the authority will consider suspending the contractor from applying for future HA tenders.


Edited by Priscilla Ng