Hong Kong’s OT&P Healthcare has apologised to clients after a “threat actor” managed to access its IT systems and obtain patient data.
In an email to patients on Friday, the group of medical clinics said it was working with experts to reinforce its systems and had contacted the authorities.
“As soon as we became aware of the incident we started an investigation in collaboration with a leading global third-party forensics firm,” the email read. “In addition, we are informing the relevant authorities and are confident that they will investigate to the full extent of the law.”
It added that services would continue as normal, and warned patients to report suspicious emails appearing to be from OT&P.
‘A serious cyber-threat’
CEO Robin Green told HKFP on Friday that they were unsure what kind of data was breached, and how many clients were affected: “We have no idea at this stage – we have brought in external consultants who are specialists in this area.”
Green said that “system instability” was noted on Thursday and – by the end of the day – “it became apparent… that it was a potential cyber issue.”
He added that patient data had been taken offline and the data leakage had stopped: “It was certainly not lax security because we have protocols in case, standard procedures, multi-level protection… human error – there’s no indication to suggest that at this stage. Our working assumption is that this is a serious cyber-threat from a sophisticated party as yet unknown.”
Founded in 1994, OT&P operates eight clinics and employs over 200 staff across multiple specialities, according to its website.
Help safeguard press freedom & keep HKFP free for all readers by supporting our team
Support press freedom & help us surpass 1,000 monthly Patrons: 100% independent, governed by an ethics code & not-for-profit.