The Office of the Personal Data Protection Committee (PDPC) has imposed fines totaling 1.22 million baht on a major private hospital and a contractor following a serious data breach involving the improper disposal of patients’ medical records. Shockingly, some of these records were later discovered repurposed as snack bags, raising significant privacy concerns.

Thailand Severs All Internet Links with Cambodia in Sweeping Cybercrime Crackdown

The issue gained national attention after images of the snack bags, made from medical record paper, circulated widely on social media, prompting public outrage. The PDPC did not disclose the hospital’s name, identifying it only as a “large private hospital” responsible for the leaked documents.

Investigations revealed that more than 1,000 medical records were mishandled during the disposal process. The hospital had outsourced document destruction to a small family-run business but failed to oversee the operation. Consequently, the sensitive records—classified as “sensitive personal data” under Section 26 of the Personal Data Protection Act (PDPA)—were improperly discarded, allowing them to enter the public domain.

The contractor involved was found to have taken the documents home, neglected agreed-upon disposal protocols, and failed to report the breach to the hospital. As a result, the hospital was fined 1.2 million baht, while the contractor faced a penalty of 16,940 baht.

A major private hospital in Thailand has been fined 1.2 million baht after paper patient records were found being used as snack bags, according to the country’s data protection watchdog.

Listen to the story or get the full story in the 1st comment. pic.twitter.com/nedeHlIKWS

— Bangkok Post (@BangkokPostNews) August 2, 2025

In a separate case, a government agency providing online services was fined after its system was hacked, exposing the personal data of over 200,000 individuals. The stolen information was later sold on the Dark Web. Authorities determined that the agency had inadequate cybersecurity measures, including weak passwords, and failed to conduct proper risk assessments. Additionally, it had not established a Data Processing Agreement (DPA) with the private contractor handling the data. Both the agency and the contractor were ordered to pay fines of 153,120 baht each.

Three other private-sector companies—a computer retailer, a cosmetics firm, and a collectible toy seller—were also penalized for personal data breaches following public complaints. The computer retailer was fined 7 million baht, the cosmetics company 2.5 million baht, and the toy retailer 500,000 baht as a data controller, along with an additional 3 million baht as a data processor.

Cyber Police Dismantle Chinese Network that Scammed Thai Retirees

Pol Col Surapong Plengkham, secretary-general of the PDPC, confirmed that since the PDPA’s enforcement, six cases have led to nine administrative orders, with total fines exceeding 21.5 million baht. The incidents underscore growing concerns over data security and compliance with Thailand’s privacy laws.

-Thailand News (TN)