SingHealth cyber attack: Some patients receive SMSes addressed to others

SingHealth sent over 700,000 SMS notifications to affected patients, informing them as to whether their data was stolen in the cyber attack.
SingHealth sent over 700,000 SMS notifications to affected patients, informing them as to whether their data was stolen in the cyber attack.PHOTO: THE STRAITS TIMES

SINGAPORE - In the midst of SingHealth's major exercise to inform patients as to whether their data was stolen in Singapore's worst cyber attack, some patients have also received SMSes addressed to other people.

Over 700,000 SMS notifications have been sent to affected patients, said Singapore's largest healthcare group in a statement on Saturday evening (July 21).

The attack, which started in June, saw hackers obtain the personal particulars of 1.5 million patients from its database, including that of Prime Minister Lee Hsien Loong. The stolen records relate to patient visits at SingHealth specialist outpatient clinics and polyclinics between May 1, 2015, and July 4 this year.

Among those who received SMS notifications from SingHealth was Ms J. Parvin, 23, a student, who was surprised as the message was addressed to a name that did not belong to her. The message said that the person was not affected by the cyber attack.

However, when Ms Parvin logged in to the SingHealth website with her SingPass, she found that her non-medical details had been affected but her outpatient medication information was not.

"I felt quite unsafe at first. But after seeing that my medical records were are safe, I was relieved," she said.

A SingHealth spokesman said it had received feedback about patients receiving SMSes from SingHealth addressed to other people.

"While we have made efforts to ensure this doesn't happen, we recognise that there are two possible scenarios why this may have happened - it could be a recycled mobile number that was previously registered to someone else, or it could be a wrong number mistakenly given to us," said the spokesman.

The SingHealth spokesman said that if members of public had queries about the SMS that they had received, they could visit the SingHealth Facebook page, which has regular updates and alerts. The page also has a sample screenshot of the SMS notification from SingHealth for verification purposes.

In a Facebook post on Friday night, SingHealth had also warned patients against fake text messages.

It said it was aware that some people had received fake messages that were not from SingHealth. The messages claimed that recipients' personal data, telephone numbers, financial details and medical records had all been accessed by the hackers.

SingHealth reassured patients that no phone numbers, financial information or medical records had been illegally accessed during the cyber attack.

In Saturday's statement, SingHealth said that the remaining SMS notifications would be sent out over the next two days, and the 150,000 patients who did not register their mobile numbers would receive letters on the matter within one week.

It said patients could also use the Health Buddy mobile app and SingHealth website to check if they were affected, and that 139,000 patients have done so.

SingHealth also said it had received more than 4,800 calls from patients and members of the public enquiring on the cyber attack, and that it received 750 e-mails from patients checking on their status.