Hospital fined Bt1.2m after medical records used as snack bags

The Office of the Personal Data Protection Committee (PDPC) has fined a major private hospital and a contractor a total of Bt1.22 million for a data breach involving the improper destruction of patients’ medical records, some of which were later found to have been made into snack bags.

The incident came to light when photos of the bags, made from medical record paper, went viral across social media, sparking widespread criticism.

The committee did not reveal the name of the hospital, referring to it only as a “large private hospital” from which patient medical records had been leaked.

An investigation revealed that over 1,000 medical record documents had leaked during the document destruction process. The hospital had hired a small, family-run business to carry out the destruction, but failed to monitor or supervise the process.

As a result, these sensitive documents, defined as “sensitive personal data” under Section 26 of the Personal Data Protection Act (PDPA), entered the public domain through not being properly deleted or destroyed, in violation of the law.

The contractor was found to have taken the documents home, failed to follow the agreed-upon procedures and did not inform the hospital of the data breach.

The hospital was fined Bt1.2 million, while the operator was fined 16,940 baht.

Meanwhile, a government agency offering online services via a web application was fined after its system was hacked, resulting in the personal data of over 200,000 individuals being stolen and sold on the Dark Web.

The agency was found to have weak cybersecurity measures, including the use of weak passwords, and lacked ongoing risk assessment. It also failed to establish a Data Processing Agreement (DPA) with a private contractor responsible for developing and processing the data.

The PDPC ordered both the government agency and the private system developer each to pay Bt153,120 in fines.

Three other cases involved private-sector companies in wholesale, retail and online sales, where personal data leaks led to public complaints.

A computer and equipment retailer was fined Bt7 million. A cosmetics company was fined Bt2.5 million and a collectible toy retailer was fined Bt500,000 as a data controller and 3 million baht as a data processor

Pol Col Surapong Plengkham, secretary-general of the PDPC, stated that, since the PDPA came into effect, six cases and nine administrative orders have been issued, resulting in fines exceeding Bt21.5 million.