TheJakartaPost

Please Update your browser

Your browser is out of date, and may not be compatible with our website. A list of the most popular web browsers can be found below.
Just click on the icons to get to the download page.

Jakarta Post

Data of 1.5m patients stolen in Singapore's most serious cyber attack

Irene Tham (The Straits Times/Asia News Network)
Singapore
Fri, July 20, 2018

Share This Article

Change Size

Data of 1.5m patients stolen in Singapore's most serious cyber attack In what is believed to be a state-sponsored attack, the hackers infiltrated the computers of SingHealth, Singapore's largest group of healthcare institutions with four hospitals, five national speciality centres and eight polyclinics. Two other polyclinics used to be under SingHealth. (Shutterstock/File)

I

n Singapore's worst cyber attack, hackers have stolen the personal particulars of 1.5 million patients, including the outpatient prescriptions of 160,000 people, including that of Prime Minister Lee Hsien Loong and a few ministers.

In what is believed to be a state-sponsored attack, the hackers infiltrated the computers of SingHealth, Singapore's largest group of healthcare institutions with four hospitals, five national speciality centres and eight polyclinics. Two other polyclinics used to be under SingHealth.

At a multi-ministry press conference on Friday, the authorities said PM Lee's information was "specifically and repeatedly targeted".

The 1.5 million patients had visited SingHealth's specialist outpatient clinics and polyclinics from May 1, 2015 to July 4, 2018.

Their non-medical personal data that was illegally accessed and copied included their names, IC numbers, addresses, gender, race and dates of birth.

No record was tampered with and no other patient records such as diagnosis, test results and doctors' notes were breached. There was no evidence of a similar breach in the other public healthcare IT systems.

Health Minister Gan Kim Yong and Minister for Communications and Information S. Iswaran both described the leak as the most serious, unprecedented breach of personal data in Singapore.

Read also: 200,000 cyberattack victims in 150-plus states: Europol

Mr Gan apologised to the affected patients, saying: “We are deeply sorry this has happened.”

Mr David Koh, chief executive of the Cyber Security Agency of Singapore, said that “this was a deliberate, targeted and well-planned cyber attack”. “It was not the work of casual hackers or criminal gangs,” he added.

In the light of the attack, all of Singapore's Smart Nation plans, including the National Electronic Health Record (NEHR) project - which enables the sharing of patients' treatment and medical data among hospitals here - have been put on hold.

Minister in Charge of Cyber Security S. Iswaran will convene a Committee of Inquiry (COI) to conduct an independent external review of the incident. Retired district judge Richard Magnus will chair the committee.

Initial investigations showed that one SingHealth front-end workstation was infected with malware through which the hackers gained access to the data base. The data theft happened between June 27, 2018 and July 4, 2018.

SingHealth has imposed a temporary Internet surfing separation on all of its 28,000 staff's work computers. Other public healthcare institutions will do the same.

Unusual activity was first detected on July 4 on one of SingHealth's IT databases. Security measures, including the blocking of dubious connections and changing of passwords, were taken to thwart the hackers.

On July 10, the Health Ministry, SingHealth and the Cyber Security Agency of Singapore were informed after forensic investigations confirmed that it was a cyber attack. A police report was made on July 12.

No further data has been stolen since July 4.

Read also: The cyber security agency's challenge in Indonesia

All patient records in SingHealth's IT system remain intact and there has been no disruption of healthcare services.

SingHealth will be contacting all patients who visited its specialist outpatient clinics and polyclinics from May 1, 2015 to July 4, 2018 to notify them if their data has been stolen. An SMS message will be sent to all patients over the next five days.

Patients can also access the Health Buddy mobile app and SingHealth website to check if they are affected by the breach. They can also check using this link.

Mr Iswaran said that “we must get to the bottom of this breach”.

“We must not let this derail our Smart Nation services... it is the way of the future,” he said, taking a longer term view of the projects.

Even though a thorough review of Smart Nation projects will be conducted, he stressed that Singapore has paused but not halted these projects.

The Ministry of Health has directed a thorough review of the public healthcare system to improve cyber security, and all public and private healthcare institutions have been advised to take cyber-security precautions.


This article appeared on The Straits Times newspaper website, which is a member of Asia News Network and a media partner of The Jakarta Post
 

{

Your Opinion Matters

Share your experiences, suggestions, and any issues you've encountered on The Jakarta Post. We're here to listen.

Enter at least 30 characters
0 / 30

Thank You

Thank you for sharing your thoughts. We appreciate your feedback.