A sophisticated cyber attack launched on the Singapore Health Services (SingHealth) database last month managed to steal the personal particulars of about 1.5 million patients — including Prime Minister Lee Hsien Loong.
In what is considered to be the biggest breach of personal data in the country’s history, the Ministry of Health (MOH) and Ministry of Communications and Information (MCI) today announced the SingHealth’s IT system was hit by a malicious attack on July 4.
According to a joint statement, the data stolen included names, NRIC numbers, addresses, genders, ethnicities, and dates of birth of 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from May 1 2015 to the day of the breach. Out of these, 160,000 patients in the system had records of dispensed medicines extracted.
In particular, PM Lee’s personal information and records of his outpatient dispensed medicines were specifically and repeatedly targeted.
“The records were not tampered with, i.e. no records were amended or deleted,” assured the ministries in the statement. “No other patient records, such as diagnosis, test results or doctors’ notes, were breached,” they stated, adding that no other breaches were found in other public healthcare IT systems.
Be that as it may, but hot damn, 1.5 million sets of private personal data stored in a government-run archive accessed and copied? In the immortal words of local netizens: How can dis b allow?
How we got hacked
According to investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS), the “well-planned cyberattack” was in no way the work of casual hackers or criminal gangs.
IHiS database administrators first detected unusual activity on one of SingHealth’s IT databases on July 4 and immediately acted to halt the attack. Additional cybersecurity precautions were put up, but it was too late — investigations later confirmed that it was indeed cyberattack. The authorities were informed on July 10, and a police report was lodged two days later.
“All patient records in SingHealth’s IT system remain intact. There has been no disruption of healthcare services during the period of the cyber attack, and patient care has not been compromised,” the ministries noted.
Further investigations by the CSA found that the hackers managed to access the SingHealth IT system through a breach on a front-end workstation, where they managed to acquire the account credentials need to access the database.
Since the attack, extra measures have been put in place to tighten up security, including additional controls on workstations and servers, as well as resetting user and systems accounts. The same precautions are being set up for other IT systems across Singapore’s public healthcare sector.
SingHealth is the largest healthcare group in the country, consisting of a network of four public hospitals, five national specialty centers, and nine polyclinics. With that volume of coverage, the database of its registered patients clearly need to be protected, and the importance of it all is stated on the SingHealth website.
Our personal data has not been safe with them, it seems. Click here to check if your records and data were affected in the hack.
PM Lee, on his end, appears to be unflustered by the specific attack on his personal data.
“I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me,” he wrote in a Facebook post.
“If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it”.
The prime minister then goes on to reassure the public that the government will be “ceaseless” in the efforts to tighten up systems and processes to defend against the attackers. A Committee of Inquiry will be convened to investigate the incident as well.
“We cannot go back to paper records and files,” PM Lee asserted. “We have to go forward, to build a secure and smart nation.”