Fullerton Health's booking vendor hacked

Data of healthcare group's customers put up for sale in online forums; police investigating

David Sun
Crime Correspondent
Updated
Oct 26, 2021, 05:00 AM
Published
Oct 26, 2021, 05:00 AM

Personal details of Fullerton Health customers were stolen by hackers and hawked online, after a vendor of the private healthcare group suffered a breach earlier this month.

The data was put up for sale on hacking forums from Oct 11, and could be bought for US$600 (S$807) in Bitcoin. However, checks by The Straits Times showed that the hackers took down the posts on the data sale last Friday.

The hackers claimed they managed to steal the data of about 400,000 people, including insurance policy details of Singaporeans.

A sample of the data uploaded by the unidentified hackers included customers' names and identity card numbers, as well as information about bank accounts, employers and medical history.

It also had personal details of the customers' children.

A sample document that was shared by the hackers bore the letterheads of Fullerton Health and Singapore Airlines.

The breach was of a server used by Agape Connecting People, a social enterprise that provides contact centre services.

Agape was engaged as a vendor to handle bookings by Fullerton Health customers. The medical service provider discovered the breach shortly before informing Agape about it last Tuesday.

Both have made police reports and the Personal Data Protection Commission has been informed. Investigations are ongoing.

Responding to queries from ST, Fullerton Health confirmed that its own networks were not compromised, and it is still trying to establish the exact number and identities of those affected.

Mr Ho Kuen Loon, group chief executive of Fullerton Health, said there is no disruption to its services resulting from the breach.

"We take this matter very seriously as confidentiality of our customers' personal data is of utmost importance to us," he said.

"We will be reaching out to affected customers whose personal data may have been affected at the earliest possible time."

Fullerton Health, which specialises in designing customised medical services for corporate and insurer clients, said the breach involved only data of patients from its Singapore operations.

It has engaged cyber-security experts to work with Agape to prevent such an incident from happening again.

Yesterday, Agape said its system was isolated and suspended immediately once the breach was discovered, and that no credit card or password information was exposed.

"We are in the process of confirming that no other clients of Agape Connecting People were affected," it added. "We regret that this incident has caused inconvenience to our client and its customers."

Checks by ST found that the hackers specialise in the pilfering and sale of data from the e-commerce and healthcare sectors.

They continue to hawk data from numerous organisations in many countries.

When contacted, the hackers said they had stopped the sale of the Fullerton Health data after having found a "good buyer", but did not provide further details.

Fullerton Health is one of the private healthcare providers involved in Singapore's national vaccination programme.

ST understands that the stolen data is not related to the programme.

A spokesman for the Ministry of Health (MOH) said it was informed by the police about the data breach involving the vendor.

She said: "The vendor is not connected to MOH's IT systems, which are not affected by the incident. The outsourced vendor is not involved in vaccination."

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on October 26, 2021, with the headline Fullerton Health's booking vendor hacked. Subscribe

Available for
iPhones and iPads
Available in
Google Play

MCI (P) 066/10/2023. Published by SPH Media Limited, Co. Regn. No. 202120748H. Copyright © 2024 SPH Media Limited. All rights reserved.

Back to the top