Hackers stole personal, medication data of a quarter of Singaporeans

Hackers have breached Singapore’s health service and have stolen personal information of some 1.5 million patients. They have also compromised outpatient medication data of 160,000 individuals, including Singapore’s Prime Minister Lee Hsien Loong.

The Ministry of Health (MOH) and Ministry of Communications and Information (MCI) revealed details about the breach on Friday:

• The breach was discovered 4 July 2018 and confirmed on 10 July 2018
• The attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation, then managed to obtain privileged account credentials to gain privileged access to the database
• The exfiltrated personal information: name, NRIC (National Registration Identity Card) number, address, gender, race and date of birth. They also stole information on the outpatient dispensed medicines of about 160,000 of these patients. The data was exfiltrated from 27 June 2018 to 4 July 2018.
• They didn’t access patient records, such as diagnosis, test results or doctors’ notes, nor did they tamper with any of the records
• There has been no disruption of healthcare services during the period of the cyberattack.

“Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) confirmed that this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs,” the ministries pointed out.

“The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines.”

Defensive measures

PM Lee has ordered the Cyber Security Agency of Singapore (CSA) and the Smart Nation and Digital Government Group (SNDGG) to work together with the Ministry of Health, Singapore to tighten up their defences and processes.

“We are convening a Committee of Inquiry to look thoroughly into this incident. It will doubtless have valuable conclusions and recommendations, which will help us do better,” headded. “We cannot go back to paper records and files. We have to go forward, to build a secure and smart nation.”

IHiS has, in the meantime, implemented measures to tighten the security of SingHealth’s IT systems: they temporarily imposed internet surfing separation, have placed additional controls on workstations and servers, reset user and systems accounts, and installed additional system monitoring controls.

“Similar measures are being put in place for IT systems across the public healthcare sector against this threat,” they noted.

“MOH has directed IHiS to conduct a thorough review of our public healthcare system, with support from third-party experts, to improve cyber threat prevention, detection and response. Areas of review will include cybersecurity policies, threat management processes, IT system controls and organisational and staff capabilities. Advisories have been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken.”

Affected patients will be notified of the breach via SMS.