SingHealth cyber attack: PM Lee and other ministers among 1.5 million patients whose records were stolen

SPH Brightcove Video
A​bout 1.5 million patients, including Prime Minister Lee Hsien Loong​ ​and a ​few ministers, ​have had their personal data stolen. Some 160,000 people also had their outpatient prescriptions stolen.​
PM Lee Hsien Loong was the primary target of the attack and the attacker repeatedly attempted to locate PM Lee's records using personal identifiers. PHOTO: ST FILE

SINGAPORE - Prime Minister Lee Hsien Loong and a few other ministers were among those who had their personal particulars and prescription records stolen in a massive cyber attack on SingHealth's database.

"This is the most serious breach of personal data that Singapore has experienced," said Minister-in-charge of Cyber Security S. Iswaran, who is also Minister for Communications and Information.

The attack, which took place between June 27 and July 4, saw the basic personal particulars of 1.5 million patients copied and exported illegally - including names, NRIC numbers, addresses, genders, races and dates of birth.

The patients accessed outpatient services under the SingHealth group, which includes Singapore General Hospital, between May 1, 2015, and July 4, 2018.

Among these 1.5 million patients, a smaller group of 160,000 - including PM Lee and a few Cabinet ministers - also had their prescription records stolen.

"The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong's personal particulars and information on his outpatient dispensed medicines," said a joint press statement by the Ministry of Communications and Information and the Ministry of Health.

PM Lee was the primary target of the attack and the attacker repeatedly attempted to locate PM Lee's records using personal identifiers, The Straits Times understands.

Mr David Koh, chief executive of the Cyber Security Agency of Singapore, described it as a "deliberate, targeted and well-planned cyber attack" carried out by a sophisticated attacker.

"It was not the work of casual hackers or criminal gangs," he added, declining to identify the perpetrator.

The Straits Times understands that this is likely to refer to a state-sponsored attack.

According to a government official, very few countries have the capability and sophistication to carry out such an attack.

The authorities have declined to say how many ministers had their data compromised or to name the ministers, citing patient confidentiality, and have stressed that the breach of any patient's records is treated with utmost seriousness, no matter the identity of that patient.

PM Lee was named in the joint statement with his consent.

It is not clear if the loss of data belonging to PM Lee and other ministers will have national security implications.

Asked about this, Mr Iswaran said he did not want to go into further details for operational security reasons.

"We have said enough for the public to appreciate the gravity of the challenge," he said.

Mr Iswaran was speaking at a press conference on Friday (July 20), which was co-chaired by Minister for Health Gan Kim Yong.

There is no evidence that the stolen information has so far been misused or put on sale on the Internet, added Mr Koh.

Mr Gan has apologised for the breach. Additional security measures have been taken to safeguard the computer systems in the public healthcare sector.

A Committee of Inquiry will soon be convened to examine how the attack happened and recommend measures to better protect information systems against future attacks.

Mr Iswaran noted during the press conference that unauthorised access to a computer is an offence under cyber-security laws here.

A police report has been made and investigations are ongoing.

Join ST's WhatsApp Channel and get the latest news and must-reads.