SingHealth hacked; records of 1.5m patients, including PM Lee Hsien Loong, stolen

SINGHEALTH - Singapore's largest group of healthcare institutions which include Singapore General Hospital and KK Women's and Children's Hospital - has been the target of a cyber attack said to be the most serious breach of personal data in Singapore's history.

Prime Minister Lee Hsien Loong's personal particulars, as well as information on his outpatient dispensed medicines, were stolen after specific and repeated efforts to attain them.

About 1.5 million patients who visited SingHealth's specialist outpatient clinics and polyclinics from May 1, 2015 to July 4, 2018 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race and date of birth.

Information on the outpatient dispensed medicines of about 160,000 of these patients was also taken.

The records were not tampered with (ie, amended or deleted) and no other patient records - such as diagnosis, test results or doctors' notes - were breached, said the Ministry of Health (MOH) and Ministry of Communications and Information (MCI) in a joint statement on Friday. "We have not found evidence of a similar breach in the other public healthcare IT systems," they added.

Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) - the technology agency for the public healthcare sector - confirmed that this was a "deliberate, targeted and well-planned" cyber attack, said MOH and MCI. "It was not the work of casual hackers or criminal gangs," the two ministries added.

IHiS, with CSA's support, has implemented measures to tighten the security of SingHealth's IT systems, including temporarily imposing Internet surfing separation; placing additional controls on workstations and servers, reset user and systems accounts; and installing additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector against this threat.

S Iswaran, the minister-in-charge of cyber security, will convene a Committee of Inquiry (COI) to establish the events and contributory factors leading to the cyber security attack, and the incident response.

It will also recommend measures to better manage and secure SingHealth's and other public sector IT systems against similar cyber security attacks in future.

Richard Magnus, a retired Chief District Judge and member of the Public Service Commission, will chair the COI.

The COI's composition and terms of reference will be announced at a later date.