Hackers Steal Millions of Patients’ Personal Information: How Does Singapore React?
The personal information of 1.5 million SingHealth patients, including Singapore’s Prime Minister Lee Hsien Loong and a few other ministers, has been stolen in one of the country’s most serious cyber attack incidences.
SingHealth is Singapore’s largest group of healthcare institutions. It comprises of four hospitals, five national speciality centres and eight polyclinics in total. From 1 May 2015 to 4 July 2018, approximately 1.5 million patients visited SingHealth’s specialist outpatient clinics and polyclinics.
Experts believe that this cyber attack has state sponsorship, with the hackers infiltrating SingHealth’s computers. In a multi-ministry press conference today (20 July), authorities confirmed that PM Lee’s information was “specifically and repeatedly targeted” during the attack.
In the incident, there was illegal access and copying of non-medical personal data. The data included information pertaining to the names, IC numbers, dates of birth, gender, race and addresses, diagnoses, doctor’s notes and test results of SingHealth patients. There was no record other than the patient records. There was also no evidence of a similar breach in the other public healthcare IT systems in Singapore.
Most Serious & Unprecedented Breach of Personal Data
Singapore’s Health Minister Gan Kim Yong, and the Minister for Communications and Information, S. Iswaran, have both stated that the leak is the most serious and unprecedented breach of personal data that Singapore has ever experienced. Mr Gan has issued an apology to the patients who have been affected by this breach. He stated, “We are deeply sorry this has happened”.
Meanwhile, Chief Executive of Cyber Security Agency of Singapore, Mr David Koh, has stated that “this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs”.
Singapore’s Smart Nation plans have been on hold in light of the attack. The committee includes the National Electronic Health Record (NEHR) project which enables patient treatment and medical data sharing among hospitals in Singapore.
S. Iswaran will convene a Committee of Inquiry (COI) which will conduct an independent external review of the incident. Retired district judge Richard Magnus will head he committee.
Malware Infections at SingHealth’s Front-end Workstations
Initial investigations have revealed that one of SingHealth’s front-end workstations have acquired malware. This was how the hackers gained access to the database. Investigators believe that data theft has occurred between 27 June and 4 July 2018. SingHealth has since then imposed a temporary Internet surfing separation on all its 28,000 staff’s work computers. Meanwhile, other public healthcare institutions will be doing the same.
The investigators assumed that the unusual activity occurred on 4 July at one of SingHealth’s IT databases. Various security measures, including the blocking of dubious connections and the changing of passwords, were impossible. It seemed the hackers have gained control of these measures.
SingHealth, along with the Health Ministry and Cyber Security Agency of Singapore stated on the 10 of July that it was, in fact, a cyber attack. This happened upon confirmation by forensic investigations. The police have then lodged a report on 12 July.
What Future Holds
Patient records in SingHealth’s IT system remain intact and there has been no disruption since to the healthcare services. SingHealth will also be contacting all patients from specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 to inform them regarding their data status. Patients can expect to receive an SMS over the next five days. Patients who have access to SingHealth’s Health Buddy mobile app can check if they have been affected by the breach.
Mr S. Iswaran has stated that “we must get to the bottom of this breach and not let this derail our Smart Nation services, it is the way of the future”. Mr Iswaran further emphasized that the Smart Nation projects are merely put on hold, but not entirely.
The Ministry of Health has conducted a thorough review of the public healthcare system to improve cybersecurity. Moreover, the ministry advised all public and private healthcare institutions in Singapore to take the necessary cybersecurity precautions.