Personal Information of 1.5m SingHealth Patients Stolen in Singapore’s Most Serious Cyber Attack
The personal information of 1.5 million SingHealth patients, including Singapore’s Prime Minister Lee Hsien Loong and a few other ministers, has been stolen in one of the country’s most serious cyber attack incidences.
SingHealth is Singapore’s largest group of healthcare institutions, comprising of four hospitals, five national specialty centres and eight polyclinics in total. From 1 May 2015 to 4 July 2018, approximately 1.5 million patients visited SingHealth’s specialist outpatient clinics and polyclinics.
The cyber attack is believed to be a state-sponsored attack, with the hackers infiltrating SingHealth’s computers. In a multi-ministry press conference today (20 July), authorities confirmed that PM Lee’s information was “specifically and repeatedly targerted” during the attack.
In the incident, non-medical personal data was illegally accessed and copied. The data included information pertaining to the names, IC numbers, dates of birth, gender, race and addresses, diagnoses, doctor’s notes and test results of SingHealth patients. There was no record found to be tampered with other than the patient records. There was also no evidence of a similar breach in the other public healthcare IT systems in Singapore.
Most Serious & Unprecedented Breach of Personal Data
Singapore’s Health Minister Gan Kim Yong, and the Minister for Communications and Information, S. Iswaran, have both stated that the leak is the most serious and unprecedented breach of personal data that Singapore has ever experienced. Mr Gan has issued an apology to the patients who have been affected by this breach, stating “We are deeply sorry this has happened.”
Meanwhile, Chief Executive of Cyber Security Agency of Singapore, Mr David Koh, has stated that “this was a deliberate, targeted and well-planned cyberattack, and it was not the work of casual hackers or criminal gangs.”
Singapore’s Smart Nation plans – including the National Electronic Health Record (NEHR) project which enables patient treatment and medical data sharing among hospitals in Singapore – have been put on hold in light of the attack.
S. Iswaran, the Minister in Charge of Cyber Security will convene a Committee of Inquiry (COI) which will conduct an independent external review of the incident. The committee will be chaired by retired district judge Richard Magnus.
SingHealth’s front-end workstations was infected with a malware
Initial investigations have revealed that one of SingHealth’s front-end workstations was infected with a malware, and this was how the hackers gained access to the database. The data theft was believed to have occurred between 27 June and 4 July 2018. SingHealth has since then imposed a temporary Internet surfing separation on all its 28,000 staff’s work computers and other public healthcare institutions will be doing the same.
The breach was first noted when unusual activity was detected on 4 July at one of SingHealth’s IT databases. Various security measures, including the blocking of dubious connections and the changing of passwords, were taken to thwart by the hackers.
SingHealth, along with the Health Ministry and Cyber Security Agency of Singapore were informed on the 10 of July that it was in fact a cyber attack upon confirmation by forensic investigations. A police report was then lodged on 12 July. Since the incident, no further data has been stolen.
Patient records in SingHealth’s IT system remains intact and there has been no disruption since to the healthcare services. SingHealth will be contacting all patients who visited the specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 to inform them if their data has been stolen. Patients can expect to receive an SMS over the next five days. Patients who have access to SingHealth’s Health Buddy mobile app will be able to check if they have been affected by the breach.
Mr. S. Iswaran has stated that “we must get to the bottom of this breach and not let this derail our Smart Nation services, it is the way of the future.” Mr Iswaran further emphasized that the Smart Nation projects were merely put on hold, and not stopped entirely.
The Ministry of Health has conducted a thorough review of the public healthcare system to improve cyber security. All public and private healthcare institutions in Singapore have been advised to take the necessary cyber security precautions.