bangkokpost.com - A major private hospital in Thailand has been fined 1.2 million baht after paper patient records were found being used as snack bags, according to the country’s data protection watchdog.

The incident was among five major cases reported on Friday by the government’s Personal Data Protection Committee (PDPC), along with penalties imposed against entities for violating data laws.

The hospital, which was not named, came under scrutiny after paper files from its patient registry were found being used as pouches for crispy crepes, known locally as khanom Tokyo.

The committee’s investigation revealed that over 1,000 protected files had been misplaced after being sent for destruction.

The hospital said it had entrusted document disposal to a small business but failed to follow up. The business owner admitted fault, explaining the documents were leaked after being stored at their home.
The PDPC fined the hospital 1.21 million baht. The disposal business owner was fined 16,940 baht.

In another case, the committee revealed that a state agency leaked the personal information of over 200,000 citizens after a cyber-attack on its web application. The data was later posted for sale on the dark web.

An investigation found inadequate security measures, such as weak passwords and no risk assessment, as well as the absence of a data processing agreement with the web app developer.

A combined fine of 153,120 baht was imposed on both the agency and its private contractor.

The other three cases involved leaks from online retailers and distributors, with fines ranging from 500,000 to 7 million baht.

Since 2024, the PDPC has concluded six cases of personal data violations, totalling 21.5 million baht in fines.