Personal information concerning 2.2 million Thais, allegedly stolen from the Public Health Ministry’s IT system, has been found on sale on the dark web. The Minister denied that his Ministry was the source. Meanwhile, the Rural Doctor Society said cyber security is a major concern for hospitals, revealing that hospitals have been ordered to strengthen cyber security, but with no budget allocated for this.

The Rural Doctor Society (RDS) revealed the latest data leak on Monday, saying that personally identifiable information (PII) on 2.2 million Thais was on sale on the Breachforums site for US$10,000. The seller claimed the source of the data was the Ministry of Public Health (MOPH).

The Public Health Minister, Chonlanan Srikaew, responded that the leaked information was not from the Ministry since no evidence showed that data from the Ministry was traded. He also asserted that the Ministry has a safeguard system monitored by staff at all times, according to The Standard and Spring News.

The Ministry admitted that Roi Et Hospital’s database system was attacked by a hacker on Monday night, but the situation was promptly brought under control. Chonlanan said some provincial hospitals are under a linked information system under intensive surveillance. He noted that in hospitals that have not yet joined this group, personnel will receive specific cyber security training.

The RDS also reflected that security systems are a major concern for hospitals, which are urged by the Ministry to address cyber security, but no budget is allocated to this.

“The complaints from many hospitals say that cyber-security is a very big issue. Most hospitals are not good at it. The Permanent Secretary of the MOPH has a policy ordering all hospitals to work on this and gave out a single-page order, but there wasn’t  a single baht in budget. Until now, there has been no budget from the central government. All hospitals have to struggle on their own,” said the RDS.

The RDS noted that such incidents happened repeatedly. Last year, information on 55 million Thais was hacked and sold on the dark web by a hacker called “9Near”, later identified as an army sergeant, who allegedly obtained the data from the Mor Prom application launched by the MOPH. However, it has still not been confirmed that the leaked data came from the app and no further information has been released since the Digital Economy and Society Ministry press conference on 7 April 2023.

This time, PII data on 2.2 million Thais was sold by a user named “Infamous,” whose account was created earlier in February. The leaked data contained sensitive information, including full names, phone numbers, 13-digit ID numbers, and birthdates. It has been questioned whether this type of data is specific to the MOPH since it can be found on other websites as well.

Thailand has experienced several data leaks. According to PDPA Thailand, a data protection consulting agency, the country experienced 6 significant data leaks between 2018 and 2023. These leaks were attributed to two main factors: infiltration by hackers and negligent protection protocols. Two of these cases involved healthcare services, the first at a provincial hospital which was targeted by ransomware, with a threat to damage patient databases, and the second at a kidney institute which was attacked by a hacker who stole data on over 40,000 patients.