Firms Fined $1M For SingHealth Data Security Breach
Singapore Health Services (SingHealth) has been fined S$250,000 while Integrated Health Information Systems (IHIS), the IT agency responsible for Singapore's public healthcare sector, is slapped with a S$750,000 fine, for failing to take adequate security measures to safeguard personal data. The oversight had contributed to the July 2018 cybersecurity attack that compromised personal details of 1.5 million SingHealth patients, and breached their data protection obligations outlined in Singapore's Personal Data Protection Act.
SingHealth was held responsible as the owner of the patient database that was infiltrated in the attack that resulted in the worst breach of personal data in Singapore's history, said Personal Data Protection Commission (PDPC), which administers the legislation, in a statement Tuesday. The outpatient medical records of another 160,000 patients were compromised in the incident.
PDPC said: "SingHealth personnel handling security incidents was unfamiliar with the incident response process, overly dependent on IHiS, and failed to understand and take further steps to understand the significance of the information provided by IHIS after it was surfaced.
"Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers," the commission said. "These financial penalties are the highest ever imposed by PDPC, to date."
It said it took into account that the data breach was the country's largest and had involved sensitive and confidential patient data. It also noted the two organisations had taken immediate remedial actions and that the cyberattack was the work of an APT (advanced persistent threat) group that used "numerous advanced, customised, and stealthy" tools. The hackers had carried out the attack over a period that spanned more than 10 months from August 2017.
The database involved in the cyberattack had contained patient data of more than 5.01 million individuals, as of July 2018, revealed PDPC in its report. The SingHealth group comprised several public hospitals and healthcare institutions, including Singapore General Hospital--at which servers hacked in the attack were hosted--National Cancer Centre, National Heart Centre Singapore, and Singapore National Eye Centre.
In its report, the commission noted that the SingHealth CISO's (chief information security officer) failure to comply with the IT security incident reporting processes as well as to exercise independent judgement call into question whether SingHealth had taken reasonable and appropriate measures to protect personal data contained in the database against unauthorised access.
PDPC said: "More importantly, it points to a larger systemic issue within the organisation. To begin with, parties should put in place a contract that sets out the obligations and responsibilities of a data intermediary to protect the organisation's personal data and the parties' respective roles, obligations, and responsibilities to protect the personal data."
IHIS on Monday said two employees had been sacked for negligence and non-compliance of orders, while five senior management executives including its CEO Bruce Liang were fined for their "collective leadership responsibility" over the SingHealth security breach.
The agency said the IT team administering the systems could have mitigated the effects of the cyber attack if it had exercised proper compliance and management of the servers. Also, the security incident response manager failed to comprehend what constituted as a "security incident" and, as such, did not raise the alarm despite repeated alerts by his staff.
Related Coverage
Employees sacked, CEO fined in SingHealth security breach
Two staff members have been fired for negligence and five senior management executives, including the CEO, were fined for their "collective leadership responsibility" in Singapore's most serious security breach, which compromised personal data of 1.5 million SingHealth patients.
SingHealth breach review recommends remedies that should already be basic security policies
The review committee also finds IT staff to be lacking in cybersecurity awareness and resources and SingHealth's network misconfigured with security vulnerabilities, which helped hackers succeed in breaching its systems.
SingHealth data breach reveals several 'inadequate' security measures
Investigation into the July 2018 incident reveals tardiness in raising the alarm, use of weak administrative passwords, and an unpatched workstation that enabled hackers to breach the system as early as August last year.
Singapore explores virtual browsers following SingHealth data breach
Health Ministry is piloting the use of quarantined servers as part of efforts to "reduce the number of potential attack points", following last month's security breach that compromised the personal data of 1.5 million patients.
Singapore banks told to tighten data verification following SingHealth breach
Monetary Authority of Singapore instructs financial institutions to tighten their customer verification processes following SingHealth's security breach, which compromised personal data of 1.5 million people.
Reassessing AI Investments: What The Correction In US Megacap Tech Stocks Signals
The recent correction in US megacap tech stocks, including giants like Nvidia, Tesla, Meta, and Alphabet, has sent rippl... Read more
AI Hype Meets Reality: Assessing The Impact Of Stock Declines On Future Tech Investments
Recent declines in the stock prices of major tech companies such as Nvidia, Tesla, Meta, and Alphabet have highlighted a... Read more
Technology Sector Fuels U.S. Economic Growth In Q2
The technology sector played a pivotal role in accelerating America's economic growth in the second quarter of 2024.The ... Read more
Tech Start-Ups Advised To Guard Against Foreign Investment Risks
The US National Counterintelligence and Security Center (NCSC) has advised American tech start-ups to be wary of foreign... Read more
Global IT Outage Threatens To Cost Insurers Billions
Largest disruption since 2017’s NotPetya malware attack highlights vulnerabilities.A recent global IT outage has cause... Read more
Global IT Outage Disrupts Airlines, Financial Services, And Media Groups
On Friday morning, a major IT outage caused widespread disruption across various sectors, including airlines, financial ... Read more