More than 56,000 patients affected in Hong Kong
Unauthorised access detected on April 3, 2026
Data includes identity details and medical records spanning years
No confirmed external hacking; internal access under scrutiny
Police and privacy regulator investigations ongoing
Hong Kong’s public healthcare system is under scrutiny after the Hospital Authority confirmed that more than 56,000 patient records were exposed following unauthorized access to its database.
The incident came to light on April 4, 2026, after internal monitoring flagged suspicious activity earlier at around 2:00 am on April 3, 2026. The affected data relates to patients treated within the Kowloon East cluster, a major regional healthcare network.
Authorities confirmed that the leaked information includes highly sensitive personal and clinical details such as:
Full names and gender
Hong Kong identity card numbers
Dates of birth
Hospital file numbers
Dates of attendance and appointments
Clinical information including surgical and treatment records
The data reportedly appeared on online forums and social platforms, raising concerns about identity theft and misuse.
Importantly, the records span multiple years, indicating that the breach is not limited to recent patients.
The Hospital Authority clarified that the incident involved “inappropriate access” to its system, rather than a confirmed external cyberattack. Preliminary findings indicate that there is no evidence of hacking so far, and the breach may have resulted from misuse of access privileges or compromised credentials.
Authorities also noted the possible involvement of a contractor responsible for system maintenance, whose access has since been suspended. Investigations are ongoing to determine the exact source and method of the data exposure.
The case has been reported to Hong Kong Police for a criminal investigation.
At the same time, the Office of the Privacy Commissioner for Personal Data has initiated a formal probe to assess whether the incident violates the Personal Data (Privacy) Ordinance.
Authorities are examining:
How the data was accessed
Whether proper safeguards were in place
The extent of the leak and potential liability
The Hospital Authority has issued an apology and said it will take all practicable measures to minimize the impact on affected patients. As part of its immediate response, it has suspended the relevant system access, initiated a comprehensive review of its systems and security protocols, and strengthened monitoring of data access. The incident has also been reported to the relevant authorities.
The Digital Policy Office is providing technical and cybersecurity support during the ongoing investigation. Officials have confirmed that hospital services and clinical operations remain unaffected.
Affected individuals are being informed through multiple channels, including the HA Go mobile application, direct phone calls, and official letters. A dedicated enquiry hotline, (852) 5215 7326, is operating daily from 9 am to 6 pm to assist patients.
Authorities have also urged the public to remain vigilant against scams, warning that leaked personal data could be misused to impersonate officials or healthcare workers.
