On August 1, 2025, Thailand’s Personal Data Protection Committee (PDPC) issued a formal statement regarding a serious data breach involving a prominent private hospital. The incident has sparked widespread attention across social media and raised concerns about data governance in the healthcare sector.
Incident Overview
The hospital, acting as the Data Controller, had outsourced the destruction of over 1,000 patient medical records to a small family-run business. However, the hospital failed to implement proper oversight and compliance checks, resulting in the records being leaked and repurposed as wrappers for street snacks.
The contractor, classified as a Data Processor, stored the documents at their residence and did not follow the agreed destruction protocol. Furthermore, they failed to notify the hospital of the breach, violating their obligations under the PDPA.
Administrative Penalties
- Hospital (Data Controller): ฿1,210,000
- Individual Contractor (Data Processor): ฿16,940
- Total Fine: ฿1,226,940
Key Takeaways
This case underscores the importance of robust data protection practices and third-party oversight. The PDPA is now actively enforced across both public and private sectors. Organizations must ensure that all data handlers—internal or external—adhere strictly to legal and procedural standards.
Failure to comply may result not only in financial penalties but also in reputational damage. PDPA compliance is no longer optional—it is a strategic imperative.
