Fullerton Health, vendor fined $68k in total after data leaked for sale on Dark Web
Sign up now: Get ST's newsletters delivered to your inbox
The customer data that Fullerton Health shared with vendor Agape Connecting People was left exposed without password protection for months.
PHOTO: REUTERS
Follow topic:
SINGAPORE – Fullerton Health Group, which runs at least 30 clinics here and many of the Covid-19 vaccination centres here at the height of the pandemic, has been fined $58,000 over a data leak in 2021
The customer data it shared with a vendor was left exposed without password protection for months.
This led to the personal data of 133,866 patients and 23,034 employees of its corporate clients being leaked, including their NRIC numbers, contact details, bank account numbers and codes and health information, said the Personal Data Protection Commission (PDPC) in its case findings on Thursday.
Agape Connecting People, the vendor Fullerton Health hired to provide call centre and appointment booking services, was fined $10,000 for failing to secure the customer data entrusted to it by the healthcare group.
The data was found peddled on the Dark Web in late 2021, which prompted Fullerton Health and Agape to request investigations to be handled by the PDPC in January 2022.
The PDPC’s written judgment found that Fullerton Health had worsened the situation by providing personal data to Agape that the vendor did not require. It had also lapsed in its responsibility of supervising the vendor.
As part of its social enterprise initiatives, Agape engaged inmates from the Changi Women’s Prison to assist with the services on behalf of Fullerton Health, said the PDPC.
The group shared the personal data of its customers with Agape via Microsoft SharePoint, a cloud-based document management system, which could be accessed by only a computer issued to Agape by Fullerton Health.
As part of the procedure, customer data was downloaded from this computer to a separate online drive that was linked to the Internet. Only selected inmates could access the files.
The investigation found that while Agape conducted periodic security checks on its IT systems, it did not check the file server that stored data from Fullerton Health, which was a legacy feature unique to the partnership, and not implemented for Agape’s other clients.
The password for the drive had also been disabled for about 20 months and there was also no expiry date set.
“Agape admitted that this caused the online drive to become an open directory listing on the Internet with no password protection, and highly vulnerable to unauthorised access, modification and similar risks over an excessive period of time,” said the PDPC.
It added that the cause of leaving the drive without a password could not be established.
The case came to light on Oct 15, 2021, when Fullerton Health realised its customer data had been sold on a Dark Web forum.
Its cyber-security consultants contacted the seller, who claimed that the data had been stolen from Agape’s file servers. The Dark Web listing was removed by Oct 22 that year and the online drive was suspended.
Despite engaging a vendor, Fullerton Health bears the same obligations under the Personal Data Protection Act (PDPA) as if the data had been handled by the organisation itself, said the PDPC.
It added that there was insufficient evidence to show whether Fullerton Health was aware of the sharing of customer data to Agape’s drive and if it approved of this, but the healthcare group still bore the responsibility to check how data would be handled.
The PDPC noted that Fullerton Health had reviewed Agape’s systems before agreeing to the partnership, and, in its written agreement, required Agape to comply with the PDPA, among other rules.
Fullerton Health also disclosed personal data intended for only its employees’ internal use, including financial and health-related data, which led to the incident being “amplified”, said the PDPC.
“These datasets were not required by Agape for the performance of the services, and this inadvertent disclosure ultimately led to a greater loss of personal data during the incident,” it said, adding that organisations create unnecessary risks when they share more data than is needed.
In deciding the amount of a fine that would be a proportionate deterrent, the PDPC noted that Fullerton Health’s annual turnover was almost 50 times higher than Agape’s, according to its latest audited accounts.
The group’s revenue crossed $800 million in 2021, and it owns more than 550 facilities globally, with more than 6,000 employees, according to its website, dated August 2022.
Following the incident, Fullerton Health has implemented multi-factor authentication for its SharePoint database, with “view-only” access, said the PDPC.
Agape has also refreshed its data protection policies and enrolled its staff for cyber-security courses.
When contacted, Fullerton Health managing director Walter Lim said the firm has since complied with all the remediation steps set out by PDPC. It has also enhanced its cybersecurity measures and attained an internationally-recognised certification for security management.
Dr Lim said: “We continue to take our responsibility for data protection very seriously and remain vigilant in our efforts.”
In November 2022, Farrer Park Hospital was fined $58,000 over a data breach
