Worry, confusion and ambivalence among those affected by SingHealth's data breach

Authorities said the data theft took place between June 27 and July 4, and patients who were affected had visited SingHealth's specialist outpatient clinics and polyclinics from May 1, 2015, to July 4, 2018.
Authorities said the data theft took place between June 27 and July 4, and patients who were affected had visited SingHealth's specialist outpatient clinics and polyclinics from May 1, 2015, to July 4, 2018.ST PHOTO: ARIFFIN JAMAR
A​bout 1.5 million patients, including Prime Minister Lee Hsien Loong​ ​and a ​few ministers, ​have had their personal data stolen. Some 160,000 people also had their outpatient prescriptions stolen.​

SINGAPORE - The most serious cyber attack to strike Singapore saw the data of about 1.5 million patients, including Prime Minister Lee Hsien Loong, stolen from healthcare provider SingHealth's database.

Authorities said the data theft took place between June 27 and July 4, and patients who were affected had visited SingHealth's specialist outpatient clinics and polyclinics from May 1, 2015, to July 4 this year.

Their non-medical personal data that was illegally accessed and copied included their names, IC numbers, addresses, gender, race and dates of birth.

Most of the affected patients The Straits Times spoke to were worried about what their stolen data would be used for.

Ms Phoebe Lim, 17, said: "I am a little disturbed as not only my NRIC and name were accessed, my address was also taken. This just affects my safety as well.

"There is no point in checking if we are affected and not being able to do anything about it."

The student said she had not received any SMS notification from SingHealth about her data being accessed, and that she found out only after checking the link online.

 
 
 
 

Analyst Thoo Sheng Bao, 29, also found out that his data was affected only after checking online.

"I am disappointed with the system, and hopefully the data is not misused in any way," Mr Thoo said.

Most of those affected agreed that they wanted to see SingHealth provide more guidance as to what follow-up actions to take.

Madam Vijaya Viji, 52, a senior admin assistant who had visited SingHealth's clinics more than 10 times between May 2015 and July this year, said:"I hope SingHealth will follow up on the issue as many people are affected, and if anything happen they should account for it.

"Luckily my telephone number and credit card details were not affected (in the breach)."

Both Madam Vijaya and her daughter were affected by the breach.

SingHealth's SMSmessages about the incident also caused confusion for one particular patient.

Ms J Parvin, 23, a student, was surprised as the message she received was addressed to a name that did not belong to her. The message said that the person was not affected by the cyber attack.

However, when Ms Parvin logged in to the SingHealth website with her SingPass, she found that she had been affected.

"I have a health condition and it would have been troublesome for me when I see the doctor if my medical data was deleted or stolen," she said.

In response to queries, SingHealth said on Saturday that it has received feedback regarding the matter.

"While we have made efforts to ensure this doesn’t happen, we recognise that there are two possible scenarios why this may have happened – it could be a recycled mobile number that was previously registered to someone else, or it could be a wrong number mistakenly given to us," said its spokesman.

But there were some who were not too worried about the data breach.

A 47-year-old woman who wanted to be known only as Wendy told ST: "It seems like the hackers were targeting more prominent figures and not me, so I am less concerned now."

Dr Mark Cenite, a senior lecturer at the Wee Kim Wee School of Communication and Information at Nanyang Technological University, found out his data was accessed after receiving an SMS from SingHealth notifying him of the breach on Friday evening.

He said the breach raises concerns about the bigger issue of cyber security, but said the limited scope of his data that was accessed in this case did not cause him too much concern.

The American said: "This is not the first time I've received such an alert. I have US accounts that were involved in data breaches affecting massive numbers of customers, but I have never been aware of any consequences."