Hospital fined Bt1.2m after medical records used as snack bags

The Office of the Personal Data Protection Committee (PDPC) has fined a major private hospital and its contracted operator a total of 1.22 million baht for a data breach involving the improper destruction of patients’ medical records, some of which were later found ended up as snack bags.

The incident came to light when photos of the snack bags, made from medical record paper, went viral across social media platforms, sparking widespread criticism.

The committee did not reveal the name of the hospital, referring to it only as a “large private hospital” where patient medical records had been leaked.

An investigation revealed that over 1,000 medical record documents had leaked during the document destruction process.

The hospital had hired a small, family-run business to carry out the destruction but failed to monitor or supervise the process.

As a result, these sensitive documents—defined as “sensitive personal data” under Section 26 of the Personal Data Protection Act (PDPA)—were leaked without being properly deleted or destroyed, in violation of the law.

The contracted operator had taken the documents home, failed to follow the agreed-upon procedures, and did not inform the hospital of the data breach.

The hospital was fined 1.2 million baht, while the operator was fined 16,940 baht.

Meanwhile, a government agency offering online services via a web application was fined after its system was hacked, resulting in the personal data of over 200,000 individuals being stolen and sold on the Dark Web.

The agency was found to have weak cybersecurity measures, including the use of weak passwords, and lacked ongoing risk assessments.

It also failed to establish a Data Processing Agreement (DPA) with the private contractor responsible for developing and processing the data.

The PDPC ordered both the government agency and the private system developer to pay 153,120 baht each in fines.

Three additional cases involved private-sector companies in wholesale, retail, and online sales, where personal data leaks led to public complaints:

-A computer and equipment retailer was fined Bt7 million.

-A cosmetics company was fined Bt2.5 million.

-A collectible toy retailer was fined Bt500,000 as a data controller and 3 million baht as a data processor

Pol Col Surapong Plengkham, Secretary-General of the PDPC, stated that since the PDPA came into effect, a total of six cases and nine administrative orders have been issued, resulting in fines exceeding Bt21.5 million.