Info on 1.5m SingHealth patients stolen in worst cyber attack

(From far left) Cyber Security Agency chief executive David Koh; MCI Permanent Secretary Gabriel Lim; Minister for Communications and Information S. Iswaran; Health Minister Gan Kim Yong; MOH Permanent Secretary Chan Heng Kee; and SingHealth CEO Ivy
(From left) Cyber Security Agency chief executive David Koh; MCI Permanent Secretary Gabriel Lim; Minister for Communications and Information S. Iswaran; Health Minister Gan Kim Yong; MOH Permanent Secretary Chan Heng Kee; and SingHealth CEO Ivy Ng at the press conference.ST PHOTO: MARK CHEONG

Hackers specifically and repeatedly targeted data on PM Lee; COI set up

In the worst cyber attack in Singapore's history, hackers broke into the computers of SingHealth, the Republic's largest public healthcare group, and scooped up personal information on 1.5 million patients last month.

Of these, 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers, had their outpatient prescription information stolen as well.

At a press conference yesterday, the authorities said that the attackers "specifically and repeatedly" targeted data on PM Lee.

Mr David Koh, chief executive of the Cyber Security Agency of Singapore, said: "The attack was a deliberate, targeted and well-planned cyber attack." He ruled out casual hackers and criminal gangs, but refused to be drawn on who might be behind the attacks.

Cyber-security experts contacted by The Straits Times said that given the nature of the attacks, these were likely to be state-organised or sponsored, with just a few key countries such as China, Russia and the United States having the capacity to mount such a sophisticated attack.

A Committee of Inquiry (COI) will be convened to establish the events that led to the breach and recommend measures to better secure public sector IT systems.

Database administrators of the Integrated Health Information Systems first detected unusual activity on July 4, and acted immediately to halt the activity. However, subsequent investigations established that hackers had breached the system a week earlier, on June 27.

NOTHING ALARMING IN THE DATA

I don't know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me. If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it.

PRIME MINISTER LEE HSIEN LOONG

In that time, the attackers took records of patients who visited nine SingHealth institutions from May 1, 2015, to July 4 this year. The institutions include Singapore General Hospital, Changi General Hospital and SingHealth's network of polyclinics.

What specific information the hackers were after was unclear, although experts said the damage could well have been worse.

For the bulk of the 1.5 million patients, the data taken includes personal details like names, identity card numbers and addresses, and demographic information like a patient's gender, race and date of birth. Credit card numbers and mobile phone numbers were unaffected.

And while the hackers copied information on medicine dispensed to 160,000 outpatients, they did not tamper with these records nor gain access to more detailed medical records like diagnosis, test results or doctors' notes.

"I don't know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me," PM Lee said in a Facebook post. "If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it."

 

UNDAUNTED

We will do our utmost to secure our IT systems. However, we cannot completely eliminate the risk of another cyber attack... But we cannot allow, must not allow, this incident, or any others like it, to derail our plans for a smart nation.

MINISTER FOR COMMUNICATIONS AND INFORMATION S. ISWARAN

Still, the aftermath of the breach will be far-reaching. For a start, all new Smart Nation projects will be paused as the Smart Nation and Digital Government Group reviews the cyber-security measures of government systems and implements any necessary safeguards.

The introduction of a new law slated later this year - to make all healthcare institutions contribute data to the National Electronic Health Record - will be postponed.

Computers at all health clusters will also be cut off temporarily from the Internet, in much the same way Net access was cut off from computers of public servants last year. SingHealth cut access yesterday, and the other two clusters are expected to follow suit in the coming days.

At the press conference, Health Minister Gan Kim Yong apologised to the patients for the breach. "I am deeply sorry this has happened. The public healthcare family sees our role as not just providing good patient care, but also safeguarding the confidentiality of our patients' data," he said.

LEARN FROM INCIDENT

We have indeed experienced an unprecedented cyber attack that has compromised the confidentiality of our patients' data... We must learn from this and emerge stronger and more resilient from this incident.

HEALTH MINISTER GAN KIM YONG

All affected patients will be notified over the next five days either through SMS or mail, if their phone numbers are not on record. Patients can also go to SingHealth's website or app to check if their data has been affected.

Despite the attack, the Government stressed that the incident did not mean it was abandoning its technological push. Communications and Information Minister S. Iswaran, who noted there have been numerous similar breaches in countries like the US and Britain, said: "This is an ongoing battle. But we must not allow this incident, or any others like it, to derail our plans for a smart nation. We must adapt ourselves to operate effectively and securely in the digital age." 

 

 
A version of this article appeared in the print edition of The Straits Times on July 21, 2018, with the headline 'Info on 1.5m SingHealth patients stolen in worst cyber attack'. Print Edition | Subscribe