A private medical facility in Thailand has come under fire after it was discovered that confidential patient records were being repurposed as wrappers for street food. This shocking negligence resulted in a penalty exceeding ₹32 lakh.
The whole situation came to light when Doctor Lab Panda, a local influencer, documented seeing crispy crepes, known as khanom Tokyo, being wrapped in papers displaying personal health information. Startlingly, among those exposed records were details of a patient diagnosed with hepatitis B.
The influencer shared images of these wrappers online back in May 2024, quickly drawing widespread attention. The post amassed more than 33,000 reactions and 1,700 comments, as reported by the South China Morning Post. To date, officials have not disclosed the hospital’s name.
On August 1, the Personal Data Protection Committee in Thailand handed the hospital a hefty fine of 1.21 million baht (just over ₹32 lakh) for the breach, which involved more than a thousand confidential files. Evidently, the hospital had outsourced document destruction to a small family business, but failed to follow up on whether the files were properly disposed of.
Rather than destroy the documents, the contractor kept the records at home and failed to notify the hospital when the leak occurred a clear violation of Thailand’s standards for patient information protection.
The contractor faced a separate penalty of 16,940 baht (close to ₹49,000). This incident marks just one of six such breaches the PDPC has addressed since Thailand fully implemented its data protection law in 2022.
Social media has been flooded with concerns. One commenter cited by SCMP noted that while transmission of hepatitis B via paper is unlikely, the real worry is that these wrappers have already been handled by too many people and could carry toxins from the printed ink. Others called for boycotts against vendors using such recycled materials and emphasized that medical documents should be shredded rather than repurposed to save money. Some even demanded more robust patient protections, insisting the hospital ought to face stricter consequences, possibly even losing its license.
The controversy over confidential patient data is not restricted to Thailand. In June, two major hospitals in North Delhi Sant Parmanand and NKS Super Speciality experienced cyberattacks. Initially regarded as technical glitches, these incidents were later confirmed as breaches, with hackers accessing sensitive patient and billing data.
India’s Digital Personal Data Protection (DPDP) Act, 2023 seeks to safeguard patient information, mandating that hospitals and clinics secure patient consent before collecting or handling health data. The law restricts data use to legitimate, well-defined purposes and requires institutions to store such data securely with passwords and encryption. Patients themselves have the right to access, modify, or even erase their records.
Violations of these rules come with stiff consequences. Indian hospitals failing to implement proper security measures could face fines as high as ₹250 crore in cases of data breaches, underscoring the importance of robust safeguards in today’s digital age.
