In the worst ever breach of personal data in Singapore, hackers have stolen information of 1.5 million patients, including that of Prime Minister Lee Hsien Loong, by infiltrating the computers of the country’s largest health group, the authorities said today.
The hackers infiltrated SingHealth and stole the health records, including the outpatient prescriptions of 1,60,000 people, from the period between May 1, 2015 and July 4, 2018, they said.
The data theft happened between June 27 and July 4. However, the hackers did not amend or delete the records, the Ministry of Health and the Ministry of Communications and Information said.
The SingHealth Patients’ medical records, including past diagnosis, doctors’ notes and health scans, were not affected, the release added.
The hackers “specifically and repeatedly” targetted PM Loong’s particulars, it said.
The data stolen included the patients’ names, National Registration Identity Card numbers, address, gender, race and date of birth, the ministries said, adding that they have not found evidence of a similar breach in other public healthcare IT systems.
Earlier in the day, in a press conference, Health Minister Gan Kim Yong apologised to the affected patients, while Communications and Information Minister S Iswaran vowed to get to the bottom of the breach.
Calling the attack “unprecedented”, Gan said, “We must learn from this and emerge stronger and more resilient from this incident.”
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHIS) confirmed that the attack was a “deliberate, targeted and well-planned cyberattack” and was not the work of casual hackers.
When asked which country might have been involved in the cyberattack, CSA chief executive David Koh refused to divulge any information due to “operational security reasons”.
Unusual activity was first detected on one of SingHealth’s IT databases on July 4. On July 10, the Health Ministry, higher officials of SingHealth and CSA were informed about the cyberattack. SingHealth lodged a police complaint on July 12, the release said.
No further data has been stolen since July 4, it said, adding that there was no disruption of healthcare services during the period of the cyberattack and patient care has not been compromised.
Meanwhile, the Minister-in-charge of Cybersecurity, S Iswaran, today convened a Committee of Inquiry (CoI) into the incident.
In the wake of the attack, the introduction of new ICT systems in the country’s healthcare system has been put on hold till respective reviews are completed and security posture established.
“While we will do utmost to secure our IT systems from attack, unfortunately we cannot completely eliminate the risk of another cybersecurity attack…However, we must not allow this incident, or any others like it, to derail our plans for a Smart Nation,” the ministries said in the release.