Source: The Hacker News

SingHealth saga: Data breach raises furore amongst local netizens, questions regarding liability

In a press release on Monday (23 July), SingHealth stated that it has “sent SMS notifications to more than 1.8 million patients who visited its specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 to notify them if their data had been illegally accessed and copied”.

The statement was released in light of a cyber security attack by hackers, affecting 1.5 million patients who had visited SingHealth’s specialist outpatient clinics or polyclinics between May 1, 2015 and Jul 4, 2018, including Prime Minister Lee Hsien Loong, whose personal particulars and outpatient medication data were reportedly “repeatedly and specifically” targeted.

It added that SingHealth patients who have not registered their mobile numbers as a part of the data “will receive letters informing them the status of their data this week” instead.

According to findings from its data check, “More than 231,000 patients have accessed the Health Buddy mobile app and SingHealth website” to verify if their data were also implicated in the cyberattack.

SingHealth reassured that “no phone numbers, financial information or other patient medical records were illegally accessed”, adding that their healthcare provisions and services, including clinic and hospital operations, are not disrupted by the recent breach of data, and that “operations [will] continue as normal”.

SingHealth also urged patients “who visited SingHealth specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018, who are unable to do a data check via the Health Buddy mobile app or SingHealth website” to dial 6326 5555 at any day of the week from 9am to 9pm should they require any assistance.

Earlier, in a Facebook post dated 20 July, SingHealth warned patients to keep an eye on “fake” text messages informing them that their medical records have been accessed:

SingHealth also released an alert regarding “fake” phone calls related to the cyberattack:

Netizens have expressed concern over the privacy and safety risks that may arise as a result of SingHealth’s compromised medical records database.

Robert Guo said:

I just received this SMS text. Am I to feel assured that someone out there now has all my particulars, including my NRIC number, date of birth, and residential address, all of which are commonly used to confirm my identity when making phone enquiries through banks and government statutory boards?

Lim Chun Hui wrote:

www.singhealth.com.sg/cyberattack (name) -your name, IC, address, gender, race & birth date were accessed but not altered. Mobile no. medical & financial info unaffected. No action needed. We apologise for anxiety caused. For queries [email protected]

Name, NRIC and Birth Date is been access. Does that mean they can call my telco or bank and make unauthorised transaction on my behalf? They usually will authentic the caller using the NRIC or birth date.

If there is any unauthorised transaction and the telco or bank say I had been authenticated using my NRIC or birth date, am I going to be responsible for any charges incurred?

Michael Chen said:

lol. the fact that i got an sms that addresses me by a different name may show that the data itself has been compromised?!? i am not the only one that this has happened to as reported in papers.

moreover, what assurance is there no compromise? is there independent verification/ audit?

David Lee raised pertinent questions regarding SingHealth’s role in safeguarding patients’ data: 

Why SingHealth is not held liable for breach of PDPA? If it is other private sectors, and not related to government agencies, they will be slapped with a heavy penalty. With the impending implementation of the Electronic Health System, how assured are the patients that the system is foolproof and [that there will be] no further breach of patients information – whether or not the information has any commercial value?

伟祥梁 enquired:

Why can’t SingHealth use post letter to inform? Now you [SingHealth] are using SMS, you are giving cyber-attackers [the] opportunity to send fake SMS messages to all [patients]. What is this link on the msg for? “http://bit.ly/cyber-attack18

What if cyber attackers sent similar SMS messages with a link to hack on our phone?

The Government always asks people to stay alert on SMS scams, now you all still do this kind of stupid idea!

Georg Zoeller wrote:

You guys ought to use a government-branded URL shortener rather than bit.ly where anyone can create links.

This teaches people to expect and click random urls sent to them via SMS, allowing all kinds of malicious follow up attacks on people – especially since the attackers may have access to privileged data that can be used to create an official image.

To be frank, the spoofed sms were utterly predictable and will lead to many follow up scams against the population. In 2018, we ought to be more thoughtful and have a playbook for this kind of issue.

Nur Hayati wrote:

SingHealth, apologies aren’t going to cut it. The information accessed are used by banks, telcos etc. to verify our identities. Moving forward, all organisations with such information should ensure that its cyber security is tight. Disappointed, and I hope this issue is resolved thoroughly by all agencies.

Lee Tze Hoo said:

SingHealth, I would like to know if any encryption was applied on the data that was taken. If not, what was the reason they were deem unnecessary to be encrypted?

Also, do you guys have any concrete plans to avoid future data breaches like this?

Poon Alvin wrote:

[…] it says the information were accessed but not altered. Who give a damn if our data has been altered at your end? The crucial thing is that our data has been accessed and they can do whatever they want with our information. SingHealth, are you trying to [use a] red herring [argument]? Apart from strengthening your systems, you are answerable to the country on this mishap!