Cyber Incident Victim: OT&P Healthcare

On May 4, 2023, OT&P Healthcare, a private healthcare group operating eight clinics in Hong Kong, experienced a significant cyberattack targeting its management and operating system. The internal IT department at OT&P first detected the incident on the afternoon of May 4th when they noticed significant "system instability" within their infrastructure. In response to these anomalies, the group promptly engaged third-party cybersecurity experts to assess the situation. These external advisors, upon initial examination, recommended that the core system be taken offline immediately to prevent further unauthorized access or damage, a containment action that was swiftly executed.

The forensic assessment by the third-party experts confirmed that a cyberattack had indeed occurred. The compromised management and operating system was a critical repository, holding both patient identity details and medical records. OT&P Healthcare CEO Robin Green stated that the attackers did have access to this system, though the full extent of the data exfiltrated remained unknown at the time of the initial disclosure and was subject to an ongoing forensic examination. The group confirmed that the attackers did not gain access to patients' financial information or bank details. However, the system did contain sensitive personal data, including the Hong Kong identity card numbers and passport numbers of some patients. The healthcare group estimated that the data of approximately 100,000 patients across its network of clinics could have been exposed in the breach.

OT&P Healthcare undertook notification procedures on May 5, 2023, by reporting the incident to multiple official bodies. These included the Hong Kong Police, the Department of Health, and the Office of the Privacy Commissioner for Personal Data. The privacy commissioner acknowledged the report and stated it was following up on the case. A spokesman for the Department of Health confirmed receipt of the notification on May 5th. The department also noted that OT&P was a participant registered under the government's Electronic Health Record Sharing System (eHR), a platform designed for two-way sharing of patient data among public and private healthcare providers. As a precautionary measure, the Department of Health and the Health Bureau issued a joint statement announcing the immediate suspension of OT&P's eHR account pending a full investigation into all its eHR-related activities. The statement further noted that heightened security monitoring had been implemented and that, so far, there was no indication that any patient records on the central eHR platform had been leaked or compromised.

On Friday, May 5th, OT&P began directly notifying its entire patient base of the cyberattack via email. This communication informed them of the potential compromise of their data. The immediate impact on clinic operations was also evident; one patient who visited the Central clinic on May 5th reported that the internal computer system was "completely down," which included the failure of ancillary functions like printing receipts. The potential consequences of the data leak were significant, as explained by Francis Fong Po-kiu, honorary president of the Hong Kong Information Technology Federation. He outlined risks including the misuse of information to damage the clinic's reputation and the potential for blackmailing patients, particularly those with serious illnesses or private health concerns they wished to keep confidential. This concern was echoed by an affected patient, a 45-year-old long-term resident from England who, along with her two children and domestic helper, were patients at the clinic. She expressed worry about the theft and misuse of their confidential medical information and the lack of control patients had over where their information might end up.

In its response, OT&P established an internal team dedicated to answering questions from concerned patients. CEO Robin Green was also personally dealing with patient concerns directly. He publicly expressed that the company was "extremely sorry" for the incident and stated they were doing everything possible to mitigate the extremely difficult situation. Green also addressed the company's security posture, noting that OT&P did conduct regular audits and brought in outside parties to review its policies and procedures. He stated that the most recent advice from these reviews was that the protections in place were considered adequate for their purposes at that time. The Office of the Privacy Commissioner for Personal Data used the incident to reiterate that medical service providers must ensure records are properly handled and that data protection mechanisms are robust. They also advised customers who may have been victims to monitor their accounts and transactions and to be wary of unsolicited requests for personal information. Police appealed to the public and businesses to take precautions such as installing security software, deploying a multilayer defence mechanism, and restricting internal sensitive data. The investigation into the full scale and specifics of the attack remained ongoing as the forensic examination of the compromised system continued.