Singapore's privacy watchdog fines IHiS $750,000 and SingHealth $250,000 for data breach

The cyber attack on SingHealth in June 2018 compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong. PHOTO: ST FILE

SINGAPORE - Singapore's privacy watchdog has meted out its largest fine of $750,000 to Integrated Health Information Systems (IHiS) for lapses in securing patient data which resulted in the nation's worst data breach.

The cyber attack on SingHealth in June 2018 compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.

Even though IHiS is the technology vendor for Singapore's healthcare sector, SingHealth also has to take responsibility as the owner of the patient database system - a point that the Personal Data Protection Commission (PDPC) stressed in dishing out penalties.

SingHealth was fined $250,000, the second largest here.

In a statement on Tuesday (Jan 15), the PDPC said: "Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers."

IHiS and SingHealth are wholly owned subsidiaries of MOH Holdings, the holding company through which the Singapore Government owns the corporatised institutions in the public healthcare sector.

In a statement on Tuesday, Professor Ivy Ng, SingHealth group chief executive officer, apologised to patients and accepted the PDPC fine.

She said: "We are making changes to enhance our cyber-security governance structures and improve management oversight of our critical systems."

"We are also working with IHiS to comprehensively upgrade our cyber-defence systems and processes to more effectively guard against cyber-security risks, as well as to respond in a timely and robust manner to any intrusion.

"We are fully committed to learning and improving from this incident. We will embed cyber-security consciousness into our daily operations and ensure that stringent measures are in place to safeguard our patients' data."

Mr Peter Seah, chairman of SingHealth, added that that its senior leadership team, including its group chief executive officer, has voluntarily accepted a financial penalty. SingHealth did not disclose the amount of the penalty.

Singapore's privacy watchdog also found the person handling security incidents involving SingHealth to be unfamiliar with the incident response process. He failed to take further steps to investigate and understand reports on suspicious activities, it noted.

The PDPC was referring to the key technology risk man at IHiS - cluster information security officer Wee Jia Huo - who was in charge of the SingHealth cluster.

In a public report issued last week by the Committee of Inquiry probing the cyber attack, Mr Wee was said to have displayed "an alarming lack of concern" when it was clear that a critical system had been potentially breached.

It was reported on Monday that IHiS had fired two employees and redeployed its technology risk man. Mr Wee, whose job was to decide if upper management should be alerted to incidents, was demoted and redeployed to another role.

IHiS would also impose "significant financial penalty" on five members of its senior management team, including chief executive officer Bruce Liang.

On Tuesday, Mr Liang apologised to patients who were affected.

He said in a statement that IHiS has learnt a lot about advanced cyberattack operations, as well as about its own weaknesses.

"We are determined to improve as an organisation. We are also resolute in partnering the healthcare family to transform our cyber defence capabilities in order to protect the well-being of our patients," he added.

IHiS also gave an update on the new safeguards it has started to put in place for the IT systems of the three healthcare clusters it is managing.

For example, advanced threat protection technologies have been fully deployed across all three public healthcare clusters in more than 6,000 servers and 60,000 endpoint devices. Privileged access to dedicated local workstations is now restricted.

Additionally, database activity monitoring tools have been rolled out to mitigate the coding vulnerability in SingHealth's electronic medical record system. It has also stepped up the training and engagement of staff to raise awareness about cyber security.

Those found to be in breach of the Personal Data Protection Act in Singapore could be fined up to $1 million. Karaoke bar chain K Box was among the first batch of organisations punished for breaking the law. It was fined $50,000 over an incident in September 2014 that saw the data of 317,000 customers leaked.

Join ST's WhatsApp Channel and get the latest news and must-reads.