[Life] Purchased Hospital Personal Data from Chinese Hackers for Resale; Taipei District Prosecutors Office Indicts 2, Recommends Heavy Sentence

Taiwanese nationals Cheng Yu-hung and Liu Che-hung are suspected of purchasing personal data, including patient records, obtained by hacking into hospital computer networks from an overseas hacker group and selling it. The Taipei District Prosecutors Office today (15th) indicted the two for offenses including violating the Personal Data Protection Act and stated that their legal awareness is weak, requesting the court to impose heavy sentences. The Taipei District Prosecutors Office's indictment stated that Chinese nationals Luo Cheng-yu and Xu Li jointly formed the hacker group Crazy Hunters, and conspired with Chinese national Chao Yi-che, who is engaged in the trading of personal data. The Taipei District Prosecutors Office has issued arrest warrants for the three. According to the indictment, between February and April 2025, the Crazy Hunters hacker group unlawfully intruded into the computer systems of Mackay Memorial Hospital, Changhua Christian Hospital, and a certain company, stole data, revealed it on the BreachForums website, and publicly offered for sale the personal data stolen from the two hospitals. The indictment stated that after Liu Che-hung made arrangements with the Crazy Hunters hacker group, Cheng Yu-hung transferred 1,000 Tether coins from his electronic wallet to purchase personal data such as unspecified patient treatment records from Mackay Memorial Hospital, with the file name "20000.csv." Cheng then offered it for sale to an unknown Telegram user, stating, "There's a copy from Taiwan, just extracted last month from a medical institution" and "My buddies did it, all high-value individuals." After investigation, the Taipei District Prosecutors Office determined that both Cheng Yu-hung and Liu Che-hung are suspected of violating the Personal Data Protection Act by unlawfully collecting and using personal data as a non-public entity, and filed a public indictment today. The prosecutors considered that both individuals were aware that the data was obtained by the hacker group through illegal intrusion into hospital computer networks, and that the content included personal data such as patient records, medical, genetic, or health examination information, which are deeply private. Nevertheless, for the sake of profit, they purchased, collected, and attempted to sell the data, completely disregarding the potential for unpredictable harm to many individuals if the data were leaked. The prosecutors stated that their legal awareness is weak and requested heavy sentences for both. (Editor: Wang Chih-hsin)