Singapore's privacy watchdog to investigate SingHealth data breach

The SingHealth attack, which was made known to the public on July 20, compromised the personal particulars of about 1.5 million patients, including those of Prime Minister Lee Hsien Loong.
The SingHealth attack, which was made known to the public on July 20, compromised the personal particulars of about 1.5 million patients, including those of Prime Minister Lee Hsien Loong.ST PHOTO: ARIFFIN JAMAR

SINGAPORE - Singapore's privacy watchdog will be investigating the cyber attack on healthcare group SingHealth, which resulted in the biggest data breach in Singapore.

The Personal Data Protection Commission (PDPC) has been notified about the incident, said a spokesman for the Ministry of Communications and Information (MCI) on Tuesday (July 24) in response to queries from The Straits Times.

The spokesman said that SingHealth and the Integrated Health Information Systems, the technology outsourcing arm of public hospitals here, are corporate entities.

This means that they are bound by the Personal Data Protection Act, which requires organisations to put in place adequate security measures to protect consumers' personal data. Organisations flouting the Act, in force since July 2014, can be fined up to $1 million.

"The PDPC will take into account the Committee of Inquiry's report in its determination and assessment of any appropriate action to be taken," said the MCI spokesman.

The SingHealth attack, which was made known to the public last Friday, compromised the personal particulars of about 1.5 million patients.

Of these, 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers, had their outpatient prescription information stolen as well.

The authorities had said that the attackers specifically and repeatedly targeted data on PM Lee.

They added that it was a deliberate, targeted and well-planned cyber attack, but ruled out casual hackers and criminal gangs as the perpetrators.

Cyber-security experts said that given the nature of the attack, it was likely to be state-organised or sponsored.

The 1.5 million patients had visited SingHealth’s specialist outpatient clinics and polyclinics from May 1, 2015, to July 4, 2018.

Their non-medical personal data that was illegally accessed and copied included their names, NRIC numbers, addresses, gender, race and dates of birth.

No record was tampered with and no other patient records such as diagnoses, test results and doctors’ notes were breached. There was no evidence of a similar breach in the other public healthcare IT systems.

The data theft happened between June 27, 2018, and July 4, 2018.

Mr S. Iswaran, Minister-in-charge of Cyber Security and Minister for Communications and Information, will convene a Committee of Inquiry to find out what went wrong and recommend ways to better safeguard critical systems.

The committee will be chaired by former chief district judge Richard Magnus, who is also a current member of the Public Service Commission.

He previously chaired the three-man Committee of Inquiry that looked into the Nicoll Highway collapse at a Circle Line MRT work site on April 20, 2004. Four workers were killed in the incident.

Other incidents that have been investigated by such high-level committees include the Little India riots in December 2013 and the series of train disruptions on the North-South MRT Line in December 2011.