Cisometric Cybersecurity Firm

A case from Makassar reveals just how broken the system can be, and what healthcare providers in Indonesia need to do about it.

In August 2025, a young woman from Makassar known publicly as NR reported her ex-husband to the police on allegations of sexual violence. As part of the legal process, she was directed to RS Bhayangkara Makassar for a visum et repertum, a formal medical examination used to document injuries as evidence in court (Sindo, 2025).

Her mother accompanied her into the examination room. When the attending medical staff began photographing NR's body, her mother raised concerns. The doctor assured her it was standard procedure and that the photos would remain confidential.

Within days, those photos (including images of NR's intimate body parts) were circulating on social media. The leak coincided with online rumours that appeared designed to publicly discredit her, compounding the violation of her privacy with reputational harm.

The family's lawyer flagged a critical detail, that phones and cameras are prohibited in the examination room due to the highly confidential nature of the procedure. This strongly suggests the leak originated from someone with authorised access, an insider.

The hospital eventually issued a public apology and initiated an internal investigation through its Cyber Unit and Internal Affairs division (Propam).

However, as of February 2026 (five months after the incident) NR still had not been informed who was responsible for the leak. No individual had been publicly identified or held accountable (Idea Times, 2026).

NR addressed the situation directly on her Instagram, in which she wrote, the case was not just about her, it was about how vulnerable data security and privacy remain across institutions.

Her statement raises a question that every healthcare provider should be concerned with.

If a hospital cannot protect the most sensitive data it holds, what does that say about the state of data protection in the sector?

Why Medical Data Demands a Higher Standard of Protection

What makes medical data fundamentally different from other categories of personal information?

Medical records contain some of the most intimate details of a person's life such as outpatient history, diagnoses, mental health histories, reproductive health information, and (as in NR's case) clinical images of the body. Unlike financial data, which can be reset or reissued if compromised, medical information is permanent. A patient's health history cannot be changed or replaced once it has been exposed.

This permanence is precisely what makes medical data so valuable. On the dark web, stolen health records are reported to command significantly higher prices than financial data, because they can be exploited for insurance fraud, identity theft, and blackmail over extended periods.

What makes NR's case particularly instructive for the cybersecurity conversation is that this was not the result of a sophisticated external attack. There was no ransomware involved, no foreign threat actor. This was an insider threat, a person with legitimate access to confidential records who chose to share them. In cybersecurity, insider threats remain one of the most difficult attack vectors to prevent and detect (Cyberity Network, 2026).

A Growing Crisis

NR's experience reflects a broader, systemic vulnerability across healthcare data management, both in Indonesia and globally.

In 2022, Indonesia experienced one of its most significant healthcare data breaches when approximately 6 million COVID-19 patient records were leaked from the Ministry of Health's systems. The compromised data, totalling roughly 720 GB, included names, laboratory results, medical images, and administrative records. It was subsequently found being traded on illegal online forums (Tribun, 2026).

The global trend is equally concerning.

The 2025 Breach Barometer report documented breaches affecting 300 million patient records in 2024, a 26% increase from the previous year (CBQA Global, 2025).

The IBM X-Force Threat Intelligence 2025 report ranks healthcare among the top three most-targeted industries for cyberattacks, behind only finance and government. In Southeast Asia specifically, a 2024 Trend Micro report found that attacks on hospitals had increased by 80% over a two-year period.

Each of these data points represents real individuals whose trust in a healthcare institution was compromised, along with their personal information.

Also read: Cybersecurity in Indonesia’s Healthcare Industry Needs Urgent Attention

The Legal Landscape in Indonesia

Indonesia does not yet have a standalone law dedicated exclusively to healthcare data protection, unlike the United States, which has the Health Insurance Portability and Accountability Act (HIPAA).

However, the existing regulatory framework in Indonesia is stronger than many organisations may realise. The primary legislation is Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi (UU PDP), which became fully enforceable on 17 October 2024.

Under this law, health data is classified as sensitive personal data, and any entity that processes it, including hospitals and clinics, bears a legal obligation to protect it (SIP Law Firm, 2025).

Beyond UU PDP, several additional regulations also create a layered framework of accountability:

UU Kesehatan No. 17/2023 states that medical record documents are the property of the healthcare facility, and that the facility is responsible for ensuring their security, integrity, confidentiality, and availability.
Peraturan Menteri Kesehatan Nomor 24 Tahun 2022 tentang Rekam Medis (Permenkes) 24/2022 governs how medical records should be stored, who may access them, and under what conditions medical information may be disclosed to third parties.
Pasal 133 Kitab Undang-Undang Hukum Acara Pidana (KUHAP) establishes that visum et repertum documents are classified as confidential and are strictly reserved for judicial proceedings.
UU Informasi dan Transaksi Elektronik (ITE) provides additional criminal penalties for the distribution of personal information intended to cause harm or defamation.

In NR's case, the data leak potentially violated multiple provisions across these regulations, from medical confidentiality requirements to criminal defamation statutes. Her legal team identified at least six separate legal provisions that were arguably breached (Sindo, 2025).

The legal instruments exist. The more pressing question is whether healthcare institutions are implementing adequate measures to comply, and whether enforcement mechanisms carry sufficient weight to deter violations.

What Healthcare Providers Should Be Doing

Understanding the regulatory landscape is necessary but not sufficient. Organisations need to translate legal obligations into operational security measures, such as:

1. End-to-end encryption

A significant number of healthcare systems in Indonesia still store and transmit sensitive data without adequate encryption.

All patient data (whether stored in databases or transmitted between departments) should be encrypted both at rest and in transit. Encryption ensures that even in the event of unauthorised access, the data remains unreadable without the proper decryption keys.

2. Role-Based Access Control (RBAC)

Not every staff member in a healthcare facility requires access to all patient data.

A billing administrator has no operational need to view clinical photographs. A laboratory technician does not require access to psychiatric records.

RBAC systems restrict data access to what is strictly relevant to each individual's role, significantly reducing the risk of insider-driven data breaches, precisely the type of threat that NR's case illustrates.

3. Staff training and awareness programmes

A substantial proportion of healthcare data breaches originate not from external attacks, but from internal human error like weak passwords, susceptibility to phishing, improper data handling, or (as in NR's case) unauthorised capture and distribution of clinical images.

Regular, mandatory cybersecurity awareness training for all personnel (clinical staff, administrative teams, and support workers alike) is essential. This training must be ongoing and updated to reflect evolving threat landscapes, not treated as a one-time compliance exercise.

4. Security certifications and frameworks

Internationally recognised standards such as ISO/IEC 27001 (Information Security Management), ISO/IEC 27701 (Privacy Information Management), and ISO 27799 (Health Informatics Security) provide structured, auditable frameworks for managing data security. Achieving and maintaining these certifications demonstrates a measurable commitment to data protection, patients, regulators, and to institutional partners.

5. Comprehensive audit logging

Every instance of access to sensitive patient data should be recorded: who accessed it, what was viewed, when, and from which device or location. Without comprehensive logging, breach investigations become protracted and often inconclusive, a dynamic clearly reflected in NR's case, where identifying the source of the leak proved extremely difficult even months after the incident.

Audit logging also directly supports regulatory compliance. Under UU PDP, data controllers (including hospitals) are required to notify both the affected data subject and the relevant authorities within 72 hours of a confirmed breach. Meeting this obligation is only feasible with systems capable of detecting anomalous access in near real-time.

6. Security Operations Center (SOC)

The 72-hour breach notification requirement under UU PDP demands real-time monitoring capabilities. SOC, whether operated internally or through a managed service provider, delivers continuous surveillance of data access and system activity, enabling rapid detection of and response to potential breaches.

For most healthcare providers, particularly mid-sized hospitals and clinics, a managed SOC solution offers a more practical and cost-effective path than building this capability in-house.

Conclusion

Healthcare fundamentally depends on trust. When patients enter a medical facility, they entrust the institution not only with their physical wellbeing but also with their most private information, their conditions, their vulnerabilities, their histories.

When that trust is breached, the consequences extend far beyond the individual affected. Patients may become reluctant to disclose critical health information to their providers. Victims of abuse may hesitate to seek the medical documentation they need to pursue justice. These will all lead to how confidence in digital health systems erode. The ripple effects compromise the quality and effectiveness of care across the entire system.

As Indonesia continues to advance its digital health infrastructure, data protection must be treated as a foundational requirement.

Meeting the demands of UU PDP (including the 72-hour breach notification window) requires more than good intentions. It requires real-time visibility into who is accessing your data, when, and how.

Cisometric's Security Operations Center (SOC) provides 24/7/365 threat monitoring, rapid incident response with under 5-minute response times for critical cases, and comprehensive audit logging, all powered by AI and machine learning through an advanced XDR platform.

Our SOC is built to help healthcare organisations detect insider threats, maintain compliance with regulations like ISO 27001 and UU PDP, and respond to breaches before they escalate. Select packages also include threat intelligence with dark web monitoring, enabling organisations to detect if their data, including patient records, is being traded or exposed on illegal platforms.

Whether you're a hospital, clinic, or digital health provider, our scalable SOC solutions are designed to give you enterprise-grade protection without the cost and complexity of building an in-house security team.