Singapore suffers ‘most serious’ data breach, affecting 1.5M healthcare patients including Prime Minister

July 23, 2018

Singapore has suffered its “most serious” data breach, compromising personal data of 1.5 million healthcare patients including that of its Prime Minister Lee Hsien Loong.

The affected users are patients of SingHealth, which is the country’s largest group of healthcare institutions comprising 42 clinical specialties, four public hospitals, five specialty centers, nine polyclinics, as well as three community hospitals.

Non-medical personal details of 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics between May 1, 2015, and July 4, 2018, had been accessed and copied. The stolen data included patients’ name, national identification number, address, gender, race, and date of birth.

In addition, outpatient medical data of some 160,000 patients were compromised, though, the records were not modified or deleted, said the Ministry of Health and Ministry of Communications and Information (MCI), in a joint statement July 20.

“No other patient records, such as diagnosis, test results or doctors’ notes, were breached [and] we have not found evidence of a similar breach in the other public healthcare IT systems,” they said.

The first sign of unusual activities was detected on July 4, 2018, by the Integrated Health Information Systems (IHiS), which is the public healthcare sector’s technology agency and responsible for running local public healthcare institutions’ IT systems.

The agency “acted immediately” to stop the illegal activities and implemented “additional cybersecurity precautions”, whilst carrying out further investigation on the incident. Six days later, on July 10, IHiS informed the Health Ministry and Cybersecurity agency of Singapore (CSA) after confirming it had suffered a cyberattack.

However, while the attack was detected on July 4, it was later established that data “was exfiltrated” from June 27. A police report was filed on July 12 and investigations were ongoing.

In the statement, CSA and IHiS described the attack as “deliberate, targeted, and well-planned”.

No further data was compromised following the discovery on July 4 and IHiS had deployed further measures to tighten the security of SingHealth’s IT systems, including temporarily separating internet access from workstations, resetting user and systems accounts, and installing additional system monitoring controls.

CSA said hackers had gained control through breaching a frontend workstation, from which they then were able to obtain privileged account credentials to gain access to SingHealth’s database.

The prime minister said that government systems were constant targets and while the goal was to prevent every attack, there also was a need to promptly plug the hole when a breach was discovered and improve the systems.

He noted that a Committee of Inquiry had been set up to further assess the incident and recommend measures to better manage and safeguard SingHealth’s as well as other public sector IT systems against similar cybersecurity attacks in future.

ZDNet has the full story

Sponsored Recommendations

The Future of Storage: The Complexities and Implications in Healthcare

Join us on January 23rd to explore the future of data storage in healthcare and learn how strategic IT decisions today can shape agility and competitiveness for tomorrow.

IT Healthcare Report: Technology Insights for a Transformative Future

Explore the latest healthcare IT trends, challenges, and opportunities in AI, patient care, and security. Gain actionable insights to navigate the industry's transformation.

How to Build Trust in AI: The Data Leaders’ Playbook

This eBook strives to provide data leaders like you with a comprehensive understanding of the urgent need to deliver high-quality data to your business. It also reviews key strategies...

Quantifying the Value of a 360-Degree view of Healthcare Consumers

To create consistency in how consumers are viewed and treated no matter where they transact, healthcare organizations must have a 360° view based on a trusted consumer profile...