Hackers have managed to access and copy the non-medical personal particulars of around 1.5 million patients in Singapore, including that of the country’s Prime Minister Lee Hsien Loong, according to a press release issued by the Ministry of Health (MOH) and the Ministry of Communications and Information (MCI).
This has been deemed the most serious cyber attack that has been launched in Singapore, called “unprecedented” by Gan Kim Yong, the Health Minister of Singapore at a press conference today.
The patients who had their information stolen would have had visited government healthcare group SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018. Non-medical personal particulars include their name, NRIC number, address, gender, race and date of birth.
Out of which, they also managed to extract information on the outpatient dispensed medicines of around 160,000 patients.
The perpetrators also “specifically and repeatedly targeted” the Prime Minister’s medical records, including what outpatient medicines he was given.
“I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me. If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it,” wrote the Prime Minister on his official Facebook page.
When: The cyber attack took place over a week. It first began on 27 June and ended 4 July. Administrators from the Integrated Health Information Systems (IHIS) group detected odd activity on 4 July. On 10 July, investigations determined that it was a cyber attack. A police report was lodged on 12 July.
How: The attack was launched from a front-end workstation. Hackers managed to obtain privileged account credentials to gain access to Singhealth’s database. The breach has been contained, said MCI and MOH.
Who: According to the Cyber Security Agency of Singapore (CSA) and IHIS, this was not the work of casual hackers or criminal gangs, but instead a deliberate, targeted and well-planned cyber attack.
According to Channel NewsAsia, authorities have established the source of the attacks, adding that “only a few countries in the world” have the calibre to pull off such a heist. When asked which country it could be, David Koh of CSA declined to share more due to “operational security reasons”.
The joint release by MCI and MOH added that records were not tampered with, amended or deleted and that no other patient records, such as diagnosis, test results or doctors’ notes were breached.
“We have not found evidence of a similar breach in the other public healthcare IT systems,” it continued.
Additional cyber-security measures, such as adding controls on workstations and servers, resetting user and system accords, and installing additional system monitoring controls, are also put in place as another wall of defence.
MOH has also directed IHIS to conduct a thorough review of the complete system, including getting support from third-party experts, and improving cyber threat prevention, detection and response.
Such a threat is taken very seriously, said MCI and MOH. A Committee of Inquiry will also be set up to conduct an independent external review of this incident, it added. S Iswaran, the Minister of Communications and Information will convene this committee, which will be headed by Richard Magnus, a former Chief District Judge.
“We will do our utmost to secure our IT systems. However, unfortunately, we cannot completely eliminate the risk of another cybersecurity attack,” said Iswaran.
Going forward, SingHealth will be contacting all affected patients to notify them if they have had their information accessed illegally. Additionally, all patients, whether or not affected, will receive an SMS notification over the next five days and can check if their records were stolen by using the SingHealth website or its Health Buddy smartphone application.