SINGAPORE - In Singapore’s worst cyber attack, hackers have stolen the personal particulars of 1.5 million patients. Of these, 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers, had their outpatient prescriptions stolen as well.
The hackers infiltrated the computers of SingHealth, Singapore's largest group of healthcare institutions with four hospitals, five national speciality centres and eight polyclinics. Two other polyclinics used to be under SingHealth.
At a multi-ministry press conference on Friday (July 20), the authorities said PM Lee's information was "specifically and repeatedly targeted".
The 1.5 million patients had visited SingHealth's specialist outpatient clinics and polyclinics from May 1, 2015, to July 4, 2018.
Their non-medical personal data that was illegally accessed and copied included their names, IC numbers, addresses, gender, race and dates of birth.
No record was tampered with and no other patient records such as diagnosis, test results and doctors' notes were breached. There was no evidence of a similar breach in the other public healthcare IT systems.
Health Minister Gan Kim Yong and Minister for Communications and Information S. Iswaran both described the leak as the most serious, unprecedented breach of personal data in Singapore.
Mr Gan apologised to the affected patients, saying: “We are deeply sorry this has happened.”
Mr David Koh, chief executive of the Cyber Security Agency of Singapore, said that “this was a deliberate, targeted and well-planned cyber attack”.
“It was not the work of casual hackers or criminal gangs,” he added.
In the light of the attack, all of Singapore's Smart Nation plans, including the mandatory contribution to the National Electronic Health Record (NEHR) project - which enables the sharing of patients' treatment and medical data among hospitals here - have been paused.
Specifically, mandatory contribution to NEHR is now on hold until further notice.
Mr Iswaran, who is also Minister-in-Charge of Cyber Security, will convene a Committee of Inquiry (COI) to conduct an independent external review of the incident. Retired district judge Richard Magnus will chair the committee.
Initial investigations showed that one SingHealth front-end workstation was infected with malware through which the hackers gained access to the data base. The data theft happened between June 27, 2018, and July 4, 2018.
SingHealth has imposed a temporary Internet surfing separation on all of its 28,000 staff's work computers. Other public healthcare institutions will do the same.
Unusual activity was first detected on July 4 on one of SingHealth's IT databases. Security measures, including the blocking of dubious connections and changing of passwords, were taken to thwart the hackers.
On July 10, the Health Ministry, SingHealth and the Cyber Security Agency of Singapore were informed after forensic investigations confirmed that it was a cyber attack. A police report was made on July 12.
No further data has been stolen since July 4.
All patient records in SingHealth's IT system remain intact and there has been no disruption of healthcare services.
SingHealth will be contacting all patients who visited its specialist outpatient clinics and polyclinics from May 1, 2015, to July 4, 2018, to notify them if their data has been stolen. An SMS message will be sent to all patients over the next five days.
Patients can also access the Health Buddy mobile app and SingHealth website to check if they are affected by the breach. They can also check using this link.
Mr Iswaran said that “we must get to the bottom of this breach”.
“We must not let this derail our Smart Nation services... it is the way of the future,” he said, taking a longer-term view of the projects.
Even though a thorough review of Smart Nation projects will be conducted, he stressed that Singapore has paused but not halted these projects.
The Ministry of Health has directed a thorough review of the public healthcare system to improve cyber security, and all public and private healthcare institutions have been advised to take cyber-security precautions.