72 HealthHub accounts accessed without authorisation, e-service shut down for 6 days

As a precautionary measure, access to the HealthHub mobile app and website was suspended from Oct 9 to 14. Access to the HealthHub mobile app and website has since been restored. PHOTO: SCREENGRAB FROM HEALTHHUB

SINGAPORE - About 70 HealthHub accounts are suspected to have been accessed without authorisation in recent days, despite nationwide calls to tighten cyber security since the attack on SingHealth's database in June.

Both the HealthHub and SingHealth incidents - although seemingly unrelated - happened under the watch of Integrated Health Information Systems (IHiS) which runs the IT systems of all public healthcare operators in Singapore.

The HealthHub e-service and app, launched in 2015, is a gateway to citizens' clinic appointments and medical records.

In a statement on Thursday (Oct 18), the Health Promotion Board (HPB), which runs HealthHub, and IHiS said they started investigations after receiving feedback from a user that her e-mail account had been used to access the portal without her authorisation.

They discovered that there had been an unusual increase in traffic to HealthHub on four days - Sept 28 and Oct 3, 8 and 9.

The log-in attempts were made with more than 27,000 unique e-mail addresses. The vast majority of these did not match existing HealthHub accounts and the attempts failed but 72 accounts were suspected to have been compromised and the log-in attempts succeeded. Following this discovery, the 72 accounts were locked and their users were contacted to reset passwords.

A six-day shut-down of the HealthHub mobile app and website also commenced in mid October as investigations were ongoing. Access to the e-service has since been restored.

Illegal access was limited to the basic tier of HealthHub, which contains users' self-populated profiles and points accumulated through participation in HPB programmes.

More sensitive information such as people's medical data was not exposed as access is protected by SingPass' two-factor authentication.

IHiS and HPB said there was "no evidence of a breach in the HealthHub system".

Still, in the light of a Committee of Inquiry into the SingHealth breach and a national drive to step up cyber security, IHiS now faces more questions.

"Any threat detection system would have raised alerts for unusual traffic," said Mr Aloysius Cheang, Asia-Pacific executive vice-president of the Centre for Strategic Cyberspace + Security Science, a London-based think-tank.

Instead, the unauthorised access was discovered only after the user's complaint.

"Based on the suspicious volume of e-mail addresses not related to HealthHub account IDs and the repeated attempts, it is likely that the volume of e-mail addresses used had been obtained from external sources," HPB said in its statement.

Cyber security experts said this incident is "elementary" compared with June's attack on SingHealth, which led to Singapore's worst data breach involving the personal data of 1.5 million SingHealth patients.

It has still raised concerns. Mr Steven D'sa, cyber security specialist FireEye's director for South-east Asia, said it regularly observes attackers trying to use passwords obtained from breached accounts to break into other e-services.

"It's tempting to use a single password (across multiple accounts) or to create an easy scheme in your head, but those approaches are likely to make you an easy target," he said.
HealthHub draws data from public healthcare databases such as the National Electronic Healthcare Records and School Health System.

Join ST's WhatsApp Channel and get the latest news and must-reads.