Singapore’s Healthcare Industry Has Been Attacked

Singapore’s Prime Minister, Lee Hsien Loong made an announcement through Twitter (@leehsienloong) that 1.5 million personal patient records, including his own personal data, has been stolen in a major cyber attack against SingHealth. SingHealth, according to its LinkedIn profile boasts having over three million patients and a healthcare company team of over 12,000 healthcare professionals.

In an expression of solidarity, Prime Minister Lee expressed his desire to see the perpetrators identified soon and brought to justice. He says, “This will be a ceaseless effort. Those trying to break into our data systems are extremely skilled and determined. They have huge resources and never give up trying. If we discover a breach, we must promptly put it right, improve our systems and inform the people affected,” PM Lee emphasized.

Further, the Prime Minister does not discount the possibility that the attack may have been motivated by a malicious interest to learn more about his patient own record. He explains more in a Facebook post: The attackers targeted my own medication data, specifically and repeatedly. I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it. When SingHealth digitized its medical records, they asked me whether to computerize my own personal records too or to keep mine in hardcopy for security reasons. I asked to be included. Going digital would enable my doctors to treat me more effectively and in a timely manner. I was confident that SingHealth would do their best to protect my patient information, just as it did for all their other patients in the database.

The data breach included the leakage of 160,000 prescription records, a caper that can easily be called a record-breaking cyberattack against Singapore’s premier healthcare firm, with four hospital branches in the city-state. The extent of patient data exposed in the attack included information added to the system between May 1, 2015, and July 4, 2018.

PM Lee has informed a Committee of Inquiry who will further investigate the hacking incident. As of this writing, an SMS message from the committee had already been sent to all affected patients.

Those patients without mobile numbers who registered with the SingHealth hospitals will receive communications by mail, which will provide them and their families with detailed information about the incident, similar to the SMS users. Singapore’s Ministry of Communication and Ministry of Health also made a joint statement to this effect, “Patients can also access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.”

CSA chief executive, David Koh, explains further, “We are watching to see if anything appears on the internet, both in the open and in some of the less well-known websites. But considering the type of data that’s been exfiltrated, it is—from our professional experience—unlikely that these will appear because there is no strong commercial value to these types of data. These occurrences have happened even in some of the most secure systems around the world. So, I think we have to keep the incident in perspective, and then allow due process to take its course.”