Farrer Park Hospital fined $58k over leaked patient data, medical records

The confidential data from Farrer Park Hospital was leaked through e-mails that had been automatically forwarded to a third-party recipient over nearly two years. PHOTO: ST FILE

SINGAPORE - Farrer Park Hospital has been fined $58,000 over a data breach that led to personal data of 3,539 individuals being leaked.

Of these, 1,923 individuals had their medical records disclosed.

The confidential data was leaked through 9,271 e-mails that had been automatically forwarded to an undisclosed third-party recipient over nearly two years, said the Personal Data Protection Commission (PDPC) in a judgment on the case dated Sept 15 and released on Friday.

Between March 8, 2018, and Oct 25, 2019, a total of 9,271 e-mails had been automatically forwarded from two of the hospital’s employees’ Microsoft Office 365 work e-mail accounts to an outsider’s e-mail address.

PDPC’s report did not provide further information on the third-party recipient.

The employees were from the hospital’s marketing department and handled personal information coming from patients and clients requesting medical treatment. The data collected includes the sender’s name, NRIC, birthdate, passport details, picture and contact number. It also includes medical information, such as the patient’s medical condition and documents containing medical procedures, X-rays and other analysis.

In October 2019, the hospital’s helpdesk received a complaint that one of its e-mail accounts could not send outgoing e-mails. The IT department soon discovered that two accounts were used without authority to automatically forward all incoming e-mails to a third-party e-mail account.

At that time, the hospital had implemented a suite of data protection measures and policies, such as a cloud-based filtering service to protect the organisation from e-mail threats, firewalls to prevent unauthorised access to its private network, and cyber-security training for its staff.

The work e-mail accounts of the hospital’s employees were hosted on Microsoft Office 365. But at the time of the incident, the accounts were not equipped with multi-factor authentication, which was only rolled out in June 2019.

The hospital has since disabled the auto-forwarding feature and ramped up internal cyber-security measures, said the PDPC, adding that the feature was a known security risk to organisations.

PDPC said it gave the hospital the benefit of the doubt that a lack of guidelines on cyber-security measures may have affected its assessment of the risks, but warned of enforcement action in future cases. It added that the hospital’s marketing department ought to have implemented stronger security arrangements as it routinely handles a high volume of sensitive personal data.

The hospital lacked secure authentication methods that would include a combination of a passcode or digital key, which were implemented too late, it added. The hospital reported that it appointed a private forensic expert to monitor the Internet and the dark Web from February to April 2020 and that it did not find any unauthorised disclosure of the personal data involved, said the PDPC.

The hospital also said it did not receive any complaints from the affected individuals and that none of the data was misused, but the PDPC did not accept this as a mitigating factor.

Responding to queries on the data leak, Dr Timothy Low, Farrer Park Hospital’s chief executive officer, said: “We had immediately addressed the data breach in 2019 and informed all affected patients about the incident.” He added: “Please be assured that there was no impact on our hospital operations. We take this incident very seriously and deeply regret the inconvenience caused to the affected patients.”

Personal health information is some of the most valuable data for hackers as the data from hospitals is more likely to be accurate, said senior principal scientist Edward Wu from cyber-security provider ExtraHop. The stolen data can also be used to commit insurance and medical fraud or make disingenuous financial claims.

He said: “When you’re sitting on top of millions of patient records and sensitive information, you have to make sure you’re taking all the steps necessary to protect that data… It is incumbent upon healthcare organisations to take security seriously and put both proactive and preventative measures in place alongside tools to detect and remediate threats.”

In Singapore’s worst cyber attack, hackers stole the personal particulars of 1.5 million patients, including those of Prime Minister Lee Hsien Loong, in 2018.

PDPC cited an earlier data breach incident that was investigated by the Australian Information Commissioner, involving shipping logistics firm Maersk. Some 50,000 e-mails were automatically forwarded from three staff accounts to external parties.

PDPC added that the United States Federal Bureau of Investigation said in 2020 that hackers used sensitive data harvested from such breaches in scams, and it also urged companies to deactivate the auto-forwarding feature.

For a data breach, a company can be fined a maximum of $1 million or 10 per cent of its annual turnover here, whichever is higher.

Join ST's Telegram channel and get the latest breaking news delivered to you.