SingHealth and Singapore’s public healthcare sector IT agency IHIS have been slapped with S$250,000 and S$750,000 financial penalties, respectively, for the July 2018 cybersecurity attack that breached the country’s personal data protection act. The fines are the highest dished out to date.
Singapore Health Services has been fined S$250,000 while Integrated Health Information Systems, the IT agency responsible for Singapore’s public healthcare sector, is slapped with a S$750,000 fine, for failing to take adequate security measures to safeguard personal data. The oversight had contributed to the July 2018 cybersecurity attack that compromised personal details of 1.5 million SingHealth patients, and breached their data protection obligations outlined in Singapore’s Personal Data Protection Act.
SingHealth was held responsible as the owner of the patient database that was infiltrated in the attack that resulted in the worst breach of personal data in Singaporean history, said Personal Data Protection Commission, which administers the legislation, in a statement Tuesday. The outpatient medical records of another 160,000 patients were also compromised in the incident.
PDPC said: “SingHealth personnel handling security incidents was unfamiliar with the incident response process, overly dependent on IHiS, and failed to understand and take further steps to understand the significance of the information provided by IHIS after it was surfaced.
“Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers,” the commission said. “These financial penalties are the highest ever imposed by PDPC, to date.”
It said it took into account that the data breach was the country’s largest and had involved sensitive and confidential patient data. It also noted the two organisations had taken immediate remedial actions and that the cyberattack was the work of an APT (advanced persistent threat) group that used “numerous advanced, customised, and stealthy” tools. The hackers had carried out the attack over a period that spanned more than 10 months from August 2017.
The database involved in the cyber attack had contained patient data of more than 5.01 million individuals, as of July 2018, the PDPC said in its report. The SingHealth group comprised several public hospitals and healthcare institutions, including Singapore General Hospital — which is the location of the servers that were hacked — National Cancer Centre, National Heart Centre Singapore, and Singapore National Eye Centre.
In its report, the commission noted that SingHealth’s CISO (chief information security officer) failed to exercise independent judgement and comply with the IT security incident reporting processes, calling into question whether SingHealth had reasonable and appropriate measures in place to protect against unauthorised access of personal data contained in its databases.
“More importantly, it points to a larger systemic issue within the organisation. To begin with, parties should put in place a contract that sets out the obligations and responsibilities of a data intermediary to protect the organisation’s personal data and the parties’ respective roles, obligations, and responsibilities to protect the personal data,” PDPC said.
IHIS on Monday said two employees had been sacked for negligence and non-compliance of orders, while five senior management executives including its CEO Bruce Liang were fined for their “collective leadership responsibility” over the SingHealth security breach.
The agency said the IT team administering the systems could have mitigated the effects of the cyber attack if it had exercised proper compliance and management of the servers. Also, the security incident response manager failed to comprehend what constituted as a “security incident” and, as such, did not raise the alarm despite repeated alerts by his staff.
A committee appointed to review the events leading up to the SingHealth attack last week published a list of 16 recommendations that should be adopted to plug existing gaps and improve the protection of personal data. In response, Singapore’s Communications and Information Minister S Iswaran said in parliament Tuesday that the government would “fully adopt” the committee’s advice and do its best to safeguard personal data and secure its systems.
The minister also revealed that the government was able to identify the hackers responsible for the SingHealth cyberattack, and that it had taken appropriate action, but would not reveal the identity of these perpetrators for “nation security reasons”. Probed further by another Member of Parliament about the hackers’ identity, Iswaran said it was “not in our interest to make a public attribution”.
Date: January 29, 2019