Public healthcare cluster NHG fined $6,000 for not securing personal data

Five other companies have also been sanctioned over the past two months by the Personal Data Protection Commission for similar failings.
Five other companies have also been sanctioned over the past two months by the Personal Data Protection Commission for similar failings.PHOTO ILLUSTRATION: UNSPLASH

SINGAPORE - Public healthcare cluster National Healthcare Group (NHG) has been fined $6,000 for failing to secure personal data - a year after another healthcare cluster, SingHealth, received a record fine after a breach in its database.

Five other companies, including Safra and Creative Technology, have also been sanctioned over the past two months by the Personal Data Protection Commission for similar failings.

On Thursday (Jan 9), Singapore's privacy watchdog the Personal Data Protection Commission (PDPC) uploaded documents about these fines onto its website.

In the case of NHG, a list containing the information of 129 doctors was found by one of them when she did a Google search of her name.

This list, which was put together when these doctors signed up to partner with the cluster via a website, contained the full names, mobile numbers, NRIC numbers and photographs of some of them.

The information of five members of the public who had submitted their data to give feedback on this website was also in the list.

This included their full names and e-mail addresses, as well as the mobile numbers of some of them.

This list should not have been accessible to non-authorised users and members of the public.

Last year, Singapore's largest healthcare cluster SingHealth was slapped with a $250,000 fine for failing to secure patient data.

This resulted in Singapore's worst cyber attack that compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.

In a separate case, local tech firm Creative Technology was issued a financial penalty of $15,000 for not having proper security arrangements in place for its online support forum, which resulted in hackers stealing the personal data of users in 2018.

 
 
 

The PDPC said that according to Creative, the information of more than 484,000 users had been stolen by the hacker, and the data stolen included their username, passwords and for some, their names and e-mail addresses.

But the privacy watchdog could not confirm the number of individuals affected, as Creative made the decision to delete the forum's user database following detection of the hack - an action that was "hastily" done, noted the commission.

"The organisation's deletion of the user database is an aggravating factor that affected the Commission's investigations.

"The number of affected individuals estimated by the organisation could not be verified given their deletion of the user database," said the PDPC.

The Straits Times had reported in 2018 that Creative said the hack was a minor incident, as it felt it did not involve major sensitive information.

The PDPC also said the Safra National Service Association was fined $10,000 for not protecting the personal data of members of its shooting club.

An employee had sent out two separate batches of e-mails attaching spreadsheets that contained the data of 780 members.

These spreadsheets included their names, NRIC numbers, dates of birth, addresses and telephone numbers.

Other financial penalties the PDPC issued included a $34,000 fine imposed on marketing firm Globalsign.in for insufficiently protecting the data of its clients and for holding on to such data it no longer needed for legal or business purposes.

Recruitment services firm PeopleSearch was also fined $5,000 for not having secure protection measures for its data, which resulted in a ransomware attack that prevented it from accessing its clients' personal data.

 
 

A $20,000 fine was issued to the Society of Tourist Guides, a non-profit group that works with the Singapore Tourism Board to promote guides here, for exposing the data of about 100 of its members.

In collecting the personal data from its members, such as contact numbers and images of their identification documents, the group did not put in place protection measures, allowing members of the public to be able to access the information.

ST had reported on March 10 last year that a 27-year-old had chanced upon the private information while doing research for his work and had informed the PDPC.

A spokesman for the group had said then it did not have resources for its own IT team and had called it a "genuine mistake".