Singapore's largest health care group, SingHealth, acknowledged today that attackers infiltrated a company database and copied information belonging to roughly 1.5 million patients, including the country's prime minster, Lee Hsien Loong
Certain patients who visited the public medical network's outpatient clinics and polyclinics from May 1, 2015 through July 4, 2018 were affected. The breach compromised individuals' names, NRIC (National Registration Identity Card) numbers, addresses, demographic data (race and gender), and birth dates. NRIC numbers are issued by the Singaporean government to citizens and permanent residents, and are necessary for conducting various commercial transactions such as opening a bank account or booking a hotel room.
In most cases, no medical information was affected, however approximately 160,000 victims also had information related their outpatient dispensed medicines exfiltrated.
"Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) confirmed that this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs," reads a joint press release posted and SingHealth's website and issued by Singapore's Ministry of Health and Ministry of Communications and Information.
The IHiS is a technology agency that operates the IT systems of Singapore's public healthcare institutions. According to the press release, IHiS database administrators uncovered the anomalous activity on July 4 and confirmed six days later that the cause was a cyberattack that began on June 27.
The initial intrusion took place on a front-end workstation, after which the attackers obtained privileged account credentials, allowing them to access the database itself. In response, SingHealth filed a police report on July 12, and IHiS augmented its security by suspending internet surfing on its work computers, adding controls on workstations and servers, resetting user and systems accounts, and enhancing system monitoring controls.
The press release further discloses that the perpetrators "specifically and repeatedly targeted [Singapore] Prime Minister Lee Hsien Loong's personal particulars and information on his outpatient dispensed medicines."
Loong addressed the matter in a Facebook post, saying, "don't know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me. If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it."
Loong said he consented to having his medical records digitized, despite the inherent risk of a cyberattack, because it is a more efficient way to be treated. Nevertheless, "The security and confidentiality of patient information is a top priority," he stated, noting that in response to the incident he has ordered the CSA and the Smart Nation and Digital Government Group (SNDGG) to work with the Ministry of Health, Singapore "to tighten up their defenses and processes across the board."
All SingHealth patients are slated to receive an SMS-based breach notification within the next five days. However, SingHealth has warned in its own Facebook post that some individuals are receiving fraudulent texts stating that their phone numbers, financial details and medical records have been accessed. Such information was not actually accessed in the breach.