In the worst ever breach of personal data in Singapore, hackers have stolen information of 1.5 million patients, including that of Prime Minister Lee Hsien Loong, by infiltrating the computers of the country's largest health group, the authorities said.
The hackers infiltrated SingHealth and stole the health records, including the outpatient prescriptions of 160,000 people, from the period between 1 May 2015 and 4 July 2018, they said.
The data theft happened between 27 June and 4 July. However, the hackers did not amend or delete the records, the Ministry of Health and the Ministry of Communications and Information said in a joint statement.
Data Includes Medical Records, Past Diagnosis, Doctors' Notes
The SingHealth Patients' medical records, including past diagnosis, doctors' notes and health scans, were not affected, the release added.
The hackers “specifically and repeatedly" targetted PM Loong's particulars, it said.
The data stolen included the patients' names, National Registration Identity Card numbers, address, gender, race and date of birth, the ministries said, adding that they have not found evidence of a similar breach in other public healthcare IT systems.
Earlier in the day, in a press conference, Health Minister Gan Kim Yong apologised to the affected patients, while Communications and Information Minister S Iswaran vowed to get to the bottom of the breach.
We must learn from this and emerge stronger and more resilient from this incident.Gan Kim Yong, Minister of Health, Singapore
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHIS) confirmed that the attack was a “deliberate, targeted and well-planned cyberattack” and was not the work of casual hackers.
When asked which country might have been involved in the cyberattack, CSA chief executive David Koh refused to divulge any information due to "operational security reasons".
‘Unusual Activity First Detected on 4 July’
Unusual activity was first detected on one of SingHealth's IT databases on 4 July. On 10 July, the Health Ministry, higher officials of SingHealth and CSA were informed about the cyberattack. SingHealth lodged a police complaint on July 12, the release said.
No further data has been stolen since 4 July, it said, adding that there was no disruption of healthcare services during the period of the cyberattack and patient care has not been compromised.
Meanwhile, the Minister-in-charge of Cybersecurity, S Iswaran, on Friday, 20 July, convened a Committee of Inquiry (CoI) into the incident. In the wake of the attack, the introduction of new ICT systems in the country's healthcare system has been put on hold till respective reviews are completed and security posture established.
While we will do utmost to secure our IT systems from attack, unfortunately we cannot completely eliminate the risk of another cybersecurity attack. However, we must not allow this incident, or any others like it, to derail our plans for a Smart Nation.Ministry of Communications and Information of Singapore
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)