SingHealth cyber attack: 1.5 million patients’ personal information stolen

Singapore has suffered its worst cyber attack after criminal hackers stole the personal information of 1.5 million SingHealth patients – just under a third of the population of Singapore.

Who has been affected?

In a statement, the Ministry of Communications and Information and the Ministry of Health confirmed that “this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs”.

About 1.5 million patients who visited SingHealth specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have been affected by the incident. Information that was illegally accessed and copied included:

  • Names
  • NRIC numbers
  • Addresses
  • Gender
  • Race
  • Dates of birth

At the time of the statement, SingHealth announced they will contact all patients by SMS to notify them if their data was stolen, in the next five days. Patients can also check if they have been affected by the breach >>

Among the affected patients, 160,000 had their outpatient prescriptions stolen, including Singapore’s Prime Minister Lee Hsien Loong, whose information was “specifically and repeatedly targeted”, and some ministers.

In a Facebook post, Lee said: “I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me. If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it.”

There has been no evidence of a similar breach in other public healthcare IT systems.

How did the cyber attack happen?

On 4 July, unusual activity was detected on one of SingHealth’s IT databases, at which point an investigation was carried out and extra security measures were put in place.

On 10 July, it was discovered that this unusual activity had been a cyber attack and data had been stolen. SingHealth lodged a police report two days later.

The attack has been described by Health Minister Gan Kim Yong and Minister for Communications and Information S. Iswaran as the “most serious, unprecedented breach of personal data in Singapore”.

Mr Iswaran will assemble a Committee of Inquiry to conduct an external review of the incident, and stressed it “will make sure we leave no stone unturned in learning from this and preventing a similar incident from occurring”.

Cyber attacks in Singapore

Singapore is driving an initiative to become a ‘Smart Nation’, aiming to harness a combination of technology and connectivity to improve living, build close communities, empower citizens through jobs and opportunities, and help businesses innovate and grow.

Losses from cyber attacks and data breaches can be disastrous, and unfortunately this recent attack is not an isolated incident for Singapore.

At the beginning of 2018, Xinmin Secondary School in Singapore reported that hundreds of students’ national registration numbers were leaked online, and in 2017, it was reported that personal data of national servicemen and Ministry of Defence staff were stolen in another “targeted and carefully planned” cyber attack.

The need for robust cyber security cannot be stressed enough, but the process should be an ongoing one as cyber threats continually evolve.

The importance of ISO 27001

Organisations across Singapore should look to adopt best-practice information security standards to protect themselves, such as ISO 27001, the international standard that describes best practice for an ISMS (information security management system).

An ISO 27001-conformant ISMS is a proven framework that helps organisations protect their sensitive and confidential information with a combination of effective technology, auditing and testing, organisational policies and processes, and staff awareness programmes.

Purchase a copy of ISO 27001 >>

For more information on implementing an ISO 27001-compliant ISMS, download our free green paper Implementing an ISMS – The nine-step approach for a quick introduction.