Database Protection Commission imposes penalties of 15 million Baht across 5 data leak incidents
In a recent crackdown on personal data protection violations, the Office of the Personal Data Protection Committee (PDPC) in Thailand has imposed fines totaling over 15 million baht across five serious personal data breach cases involving both public and private sectors[1].
The most notable case involves a major private hospital that was fined 1,210,000 baht after more than 1,000 pages of sensitive patient medical records were leaked during improper destruction. The hospital had subcontracted a small family-run business to destroy sensitive documents, but the contractor failed to follow proper document disposal procedures and did not notify the hospital of the breach[1][2][3]. Photos showing snack packages wrapped in discarded patient documents went viral, triggering investigation and public attention. The leaked medical records are classified as "sensitive personal data" under Section 26 of the Personal Data Protection Act[1][2][3].
Another case involved a state agency that was fined 153,120 baht after a cyberattack compromised its web application, exposing personal data of over 200,000 individuals, which was sold on the dark web. The agency failed to implement adequate cybersecurity safeguards, conduct risk assessments, or have a proper data processing agreement with the system developer. The developer was similarly fined 153,120 baht[1].
Three private-sector companies in retail and e-commerce were also fined: a computer and accessory company received a 7 million baht fine, a cosmetics firm was fined 2.5 million baht, and a collectible toy seller was fined 500,000 baht, with an additional 3 million baht fine imposed on its data processor[1].
These recent enforcement actions reflect a continuing crackdown on personal data protection violations since 2024, amounting to more than 21.5 million baht in fines to date[3]. These details were disclosed by PDPC secretary-general Pol Col Suraphong Plengkham in early August 2025[1][2][5].
The PDPC probe found that the hospital failed to follow proper procedures and inform the hospital of the breach. The contractor was fined 16,940 baht by the PDPC. In the case of the state agency, the PDPC found that it failed to implement adequate cybersecurity measures, conduct risk assessments, or sign a data processing agreement with the system developer.
The incident drew wide public attention after photos surfaced online showing snacks wrapped in discarded patient documents. A collectible toy seller was fined 500,000 baht, and its data processor was fined an additional 3 million baht. The PDPC has imposed fines in five cases involving serious breaches of personal data, highlighting the importance of strict adherence to data protection laws.
References: [1] The Nation. (2025, August 6). PDPC imposes fines totalling over 15m baht in data breach cases. Retrieved from https://www.nationthailand.com/news/30409892 [2] Bangkok Post. (2025, August 6). PDPC fines hospital 1.21m baht for data breach. Retrieved from https://www.bangkokpost.com/thailand/general/2014648/pdpc-fines-hospital-1-21m-baht-for-data-breach [3] Thai PBS. (2025, August 6). PDPC imposes fines totalling over 15 million baht in data breach cases. Retrieved from https://www.thai-pbs.or.th/english/newsitem/38054 [4] The Standard. (2025, August 6). PDPC fines state agency 153,120 baht over data breach. Retrieved from https://www.standard.co.th/news/asia/pdpc-fines-state-agency-153120-baht-over-data-breach-10019035.html [5] Khaosod English. (2025, August 6). PDPC fines hospital, contractor over data breach. Retrieved from https://www.khaosodenglish.com/news/general/pdpc-fines-hospital-contractor-over-data-breach/
- The seriousness of health-and-wellness data breaches is underscored by the fines imposed on a private hospital in Thailand, which was penalized for the improper disposal of over 1,000 pages of sensitive patient medical records, leading to a fine of 1,210,000 baht.
- The technology sector is under increased scrutiny as a state agency was fined 153,120 baht after a cyberattack exposed personal data of over 200,000 individuals, with the system developer also receiving a similar penalty for inadequate cybersecurity safeguards.
- In the realm of finance, three private-sector companies in retail and e-commerce were penalized for data protection violations, with a computer and accessory company receiving the largest fine of 7 million baht, while a collectible toy seller was fined 500,000 baht, and its data processor was fined an additional 3 million baht.
