NHG fined $6k for failing to secure personal data

Privacy watchdog also sanctioned 5 others - including Safra, Creative - over last 2 months

Public healthcare cluster National Healthcare Group (NHG) has been fined $6,000 for failing to secure personal data - a year after another healthcare cluster, SingHealth, received a record fine after a breach in its database.

Five other companies, including Safra and Creative Technology, have also been sanctioned over the past two months by the Personal Data Protection Commission (PDPC) for similar failings.

On Thursday, the PDPC, Singapore's privacy watchdog, uploaded documents about these fines onto its website.

In the case of NHG, a list containing the information of 129 doctors was found by one of them when she did a Google search of her name.

This list, which was put together when these doctors signed up to partner the cluster via a website, contained full names, mobile numbers, NRIC numbers and photographs of some of them.

The information of five members of the public who had submitted their data to give feedback on this website was also in the list.

This included their full names and e-mail addresses, as well as the mobile numbers of some of them.

This list should not have been accessible to non-authorised users and members of the public.

Last year, Singapore's largest healthcare cluster, SingHealth, was slapped with a $250,000 fine for failing to secure patient data.

This resulted in Singapore's worst cyber attack, which compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.

In a separate case, local tech firm Creative Technology was issued a financial penalty of $15,000 for not having proper security arrangements in place for its online support forum.


This resulted in hackers stealing the personal data of users in 2018.

The PDPC said that according to Creative, the information of more than 484,000 users had been stolen by the hacker, and the data stolen included their usernames, passwords and, for some, their names and e-mail addresses.

But the privacy watchdog could not confirm the number of individuals affected, as Creative made the decision to delete the forum's user database following detection of the hacking - an action that was "hastily" done, noted the commission.

The Straits Times reported in 2018 that Creative said the hacking was a minor incident, as it felt it did not involve major sensitive information.

The PDPC also said that the Safra National Service Association was fined $10,000 for not protecting the personal data of members of its shooting club.

An employee had sent out two separate batches of e-mails attached with spreadsheets that contained the data of 780 members.


These spreadsheets included members' names, NRIC numbers, dates of birth, addresses and telephone numbers.

Other financial penalties the PDPC issued included a $34,000 fine imposed on marketing firm Globalsign.in for insufficiently protecting the data of its clients and for holding on to such data it no longer needed for legal or business purposes.

Recruitment services firm PeopleSearch was also fined $5,000 for not having secure protection measures for its data.

This resulted in a ransomware attack that prevented it from accessing its clients' personal data.

A $20,000 fine was issued to the Society of Tourist Guides, a non-profit group that works with the Singapore Tourism Board to promote guides here, for exposing the data of about 100 of its members.

In collecting the personal data from its members, such as contact numbers and images of their identification documents, the group did not put in place protection measures, allowing members of the public to be able to access the information.

ST reported on March 10 last year that a 27-year-old had chanced on the private information while doing research for his work and had informed the PDPC.

A version of this article appeared in the print edition of The Straits Times on January 11, 2020, with the headline 'NHG fined $6k for failing to secure personal data'. Subscribe