Joint statement from the Ministry of Health and Ministry of Communications and Information on the major cyberattack that had records of some 1.5 million SingHealth patients stolen.
About 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race and date of birth. Information on the outpatient dispensed medicines of about 160,000 of these patients were also exfiltrated.
The records were not tampered with, i.e. no records were amended or deleted. No other patient records, such as diagnosis, test results or doctors’ notes, were breached. We have not found evidence of a similar breach in the other public healthcare IT systems.
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) confirmed that this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs.
The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines.
On 4 July 2018. IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity. IHiS investigated the incident to ascertain the nature of the activity, while putting in place additional cybersecurity precautions.
On 10 July 2018, investigations confirmed that it was a cyberattack, and the Ministry of Health (MOH), SingHealth and CSA were informed. It was established that data was exfiltrated from 27 June 2018 to 4 July 2018. SingHealth lodged a police report on 12 July 2018. Police investigation is ongoing.
With heightened monitoring, further malicious activities were observed. However, no further illegal exfiltration has been detected since 4 July 2018. All patient records in SingHealth’s IT system remain intact. There has been no disruption of healthcare services during the period of the cyberattack, and patient care has not been compromised.
IHiS, with CSA’s support, has implemented further measures to tighten the security of SingHealth’s IT systems. These included temporarily imposing internet surfing separation. We have also placed additional controls on workstations and servers, reset user and systems accounts, and installed additional system monitoring controls.
Similar measures are being put in place for IT systems across the public healthcare sector against this threat.
Investigation by Cyber Security Agency of Singapore
CSA has ascertained that the cyber attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration.
From today, SingHealth will be progressively contacting all patients who visited its specialist outpatient clinics and polyclinic from 1 May 2015 to 4 July 2018, to notify them if their data had been illegally exfiltrated. All the patients, whether or not their data were compromised, will receive and SMS notification over the next five days.
Patients can also access the Health Buddy mobile app or SingHealth website to check if they are affected by the incident.
MOH has directed IHiS to conduct a thorough review of our public healthcare system, with support from third-party experts, to improve cyber threat prevention, detection and response. Areas of review will include cybersecurity policies, threat management processes, IT systems controls and organisational and staff capabilities. Advisories have been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken.
The Government takes a serious view of any cyberattack, illegal access of data or action that compromises the confidentiality of data in Singapore. The Minister-in-Charge of Cyber Security will establish a Committee of Inquiry to conduct an independent external review of this incident.