Singapore imposes fine on IHiS, SingHealth on data breach

Singapore's privacy watchdog Personal Data Protection Commission (PDPC) today imposed fines of Sg$1 million, or $740,000, on a healthcare provider and an IT agency over a cyber-attack that saw health records of about quarter of the population stolen with Prime Minister Lee Hsien Loong among those targeted.

The penalties for lapses that led to the most severe data breach in Singapore’s history were imposed on SingHealth and the Integrated Health Information Systems (IHiS).

The data breach occurred between June and July 2018.

IHiS is the technology vendor for Singapore’s healthcare sector. The PDPC felt that while the majority of the fault lay with IHiS, SingHealth still needed to take some responsibility for the data breach, in part because of the following reasons.

The IHis received a $740,000 fine, due to a report that was published last week, saying that sufficient security measures had not been installed to protect the data from SingHealth under its purview.

SingHealth, a healthcare provider which groups some public hospitals and clinics, was hit with an Sg$250,000 fine.

The commission said the organizations had failed to "make reasonable security arrangements to protect the personal data of individuals".

The stolen information was "highly sensitive and confidential personal data," it said.

"It is not difficult to imagine the potential embarrassment that a patient may suffer if such sensitive information about the patient and the patient's health concerns were made known to all and sundry."

The PDPC took SingHealth and IHiS’s full cooperation with the investigation into consideration, plus the fact that immediate actions were taken once the extent of the breach was determined.

On July 4, 2018, when the breach was found out, the Integrated Health Information Systems worked with the Cyber Security Agency of Singapore to stop any further hacking of patient information.

SingHealth group CEO Professor Ivy Ng accepted a fine and issued an apology to the patients whose data had been stolen.

Officials have not disclosed which state they believe was behind the breach, which occurred between June 27 and July 4. The compromised data included personal information and medication dispensed to patients.