In the worst ever breach of personal data in Singapore, hackers have stolen information of 1.5 million patients, including that of Prime Minister Lee Hsien Loong, by infiltrating the computers of the country's largest health group, the authorities said.
The hackers infiltrated SingHealth and stole the health records, including the outpatient prescriptions of 160,000 people, from the period between 1 May 2015 and 4 July 2018, they said.
The data theft happened between 27 June and 4 July. However, the hackers did not amend or delete the records, the Ministry of Health and the Ministry of Communications and Information said in a joint statement.
The SingHealth Patients' medical records, including past diagnosis, doctors' notes and health scans, were not affected, the release added.
The hackers “specifically and repeatedly" targetted PM Loong's particulars, it said.
The data stolen included the patients' names, National Registration Identity Card numbers, address, gender, race and date of birth, the ministries said, adding that they have not found evidence of a similar breach in other public healthcare IT systems.
Earlier in the day, in a press conference, Health Minister Gan Kim Yong apologised to the affected patients, while Communications and Information Minister S Iswaran vowed to get to the bottom of the breach.
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHIS) confirmed that the attack was a “deliberate, targeted and well-planned cyberattack” and was not the work of casual hackers.
When asked which country might have been involved in the cyberattack, CSA chief executive David Koh refused to divulge any information due to "operational security reasons".
Unusual activity was first detected on one of SingHealth's IT databases on 4 July. On 10 July, the Health Ministry, higher officials of SingHealth and CSA were informed about the cyberattack. SingHealth lodged a police complaint on July 12, the release said.
No further data has been stolen since 4 July, it said, adding that there was no disruption of healthcare services during the period of the cyberattack and patient care has not been compromised.
Meanwhile, the Minister-in-charge of Cybersecurity, S Iswaran, on Friday, 20 July, convened a Committee of Inquiry (CoI) into the incident. In the wake of the attack, the introduction of new ICT systems in the country's healthcare system has been put on hold till respective reviews are completed and security posture established.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)