Attempts to illegally access HealthHub uncovered

The HealthHub e-service and app, launched in 2015, is a gateway to citizens' clinic appointments and medical records.
The HealthHub e-service and app, launched in 2015, is a gateway to citizens' clinic appointments and medical records.PHOTO: SCREENGRAB FROM HEALTHHUB

72 accounts affected; app and site taken offline in fresh incident involving IHiS-run system

About 70 HealthHub accounts are suspected to have been accessed illegally in recent days, despite nationwide calls to tighten cyber security since the attack on Sing-Health's database in June.

Both the HealthHub and SingHealth incidents - although seemingly unrelated and different - happened on the watch of Integrated Health Information Systems (IHiS), which runs the IT systems of all public healthcare operators in Singapore.

The HealthHub e-service and app, launched in 2015, is a gateway to citizens' clinic appointments and medical records.

In a statement yesterday, the Health Promotion Board (HPB), which owns HealthHub, and IHiS said they started investigations after receiving feedback from a user that her e-mail account had been used to access the portal without her authorisation.

They discovered that there had been an unusual increase in traffic to HealthHub on four days - Sept 28, and Oct 3, 8 and 9.

The log-in attempts were made with more than 27,000 unique e-mail addresses. Most of these did not match existing HealthHub accounts and the attempts failed, but 72 accounts were accessed.

Following this discovery, the 72 accounts were locked and their users asked to reset passwords.

A six-day shutdown of the HealthHub mobile app and website also commenced in mid-October as investigations were ongoing. Access to the e-service has since been restored.

IHiS told ST that perpetrators could have entered the accounts using passwords stolen elsewhere or guessed the passwords to access the accounts.

Illegal access was limited to the basic tier of HealthHub, which contains users' self-populated profiles and points accumulated through participation in HPB programmes.

More sensitive information such as people's medical data was not exposed as access is protected by SingPass' two-factor authentication.

IHiS and HPB said there was "no evidence of a breach in the HealthHub system".

Still, in the light of a Committee of Inquiry into the SingHealth breach and a national drive to step up cyber security, more questions have been raised. Mr Aloysius Cheang, Asia-Pacific executive vice-president of the Centre for Strategic Cyberspace + Security Science, a London-based think-tank, said: "Any threat detection system would have raised alerts for unusual traffic." Instead, the break-ins were discovered only after the user raised the alarm.

HPB said in a statement: "Based on the suspicious volume of e-mail addresses not related to HealthHub account IDs and the repeated attempts, it is likely that the volume of e-mail addresses used had been obtained from external sources."

Cyber security experts said this attempted attack was "elementary" compared with June's attack on SingHealth, which led to Singapore's worst data breach involving the personal data of 1.5 million SingHealth patients.

In SingHealth's case, a front-end workstation was infected with malware, through which the hackers gained access to the database. The system was not breached in the latest attack.

HealthHub draws data from public healthcare databases such as the National Electronic Healthcare Records and School Health System.

A version of this article appeared in the print edition of The Straits Times on October 19, 2018, with the headline 'Attempts to illegally access HealthHub uncovered'. Print Edition | Subscribe