Patients whose personal information was hacked from Phetchabun Hospital should be informed and warned of possible follow-up scams, a non-profit organization focused on internet freedom and digital rights told Thai Enquirer on Wednesday.
“At the very least, they must be informed that their information has been affected,” said Arthit Suriyawongkul, co-founder of the Thai Netizen Network.
His comments came after the Ministry of Public Health admitted on Tuesday that a hacker successfully retrieved the personal information of 10,095 patients from the state-owned hospital’s sub-databases.
They said the information that was compromised does not contain medical information or the national identification number of the patients as claimed by the hacker who uses the user name “inanimate” to try and sell the information on Raidforums.com for US $500.
“The information was not taken from the hospital’s main server and they have nothing to do with diagnosis information or any laboratory data,” said Dr Thongchai Kiratihatthayakon, the Deputy Permanent Secretary for Public Health.
“They include information on doctors’ audit charts…which contain information of 10,095 patients that do not include treatment information and they contain first name, last name, the date of admission, the date of discharge and appointment date,” he said.
The hacker initially claimed that the 3.75 gigabyte information was retrieved from the hospital.
More than just names
Arthit said the personal information that was hacked contain more than just names but also includes gender, date of birth, the doctor at care, which ward the patient was being treated at, medical expenses at the hospital and their rights to treatment.
“This information can be used to guess which group of illness the patient might belong to,” he said.
“Some people might not want others to know what kind of illness they have and such medical information is considered to be sensitive by law,” he said.
Arthit said hackers or scammers could use the hacked information in terms of “social engineering”, a manipulation technique uses to gain private information, passwords or valuables.
Such “human hacking” scams usually lure users into exposing data, spreading malware infections or giving their passwords away and such attacks can happen online and in-person.
“With the information, the scammer would have the patient’s name, the name of their doctor, the dates of their treatment which could be similar to the audit dates, the expenses that the patient had paid,” he said.
“The scammer could pretend to be a representative from the hospital, a representative from the social security office or a representative of the insurance company that the patient has insured with and then use their fake identity to extract information that they want from the patient and make them pay for products that do not exist,” he said.
Arthit said the hospital and related agencies must warn the patients and if they failed to do so, the patients could sue them.