The Latest / Data Security News

Singapore Healthcare Data Breach Brings Hefty Fines

January 22, 2019

The Singapore healthcare data breach back in July was the biggest incident of its kind ever recorded in the country. Some 1.5 million people had their personal details discovered when hackers successfully broke into SingHealth and Singapore’s public healthcare sector IT agency, IHIS.

Singapore Healthcare Data Breach Brings Hefty Fines

What happened in the Singapore healthcare data breach?

The Singapore healthcare data breach was quite a few months back now, but the punishments for poor response and handling are only now being dished out by Singapore’s Personal Data Protection Commission (PDPC). Let’s remind ourselves what happened and what went wrong.

Patient databases were infiltrated by customized malware that managed to penetrate SingHelath’s antivirus and security tools. The malware soon spread to IHIS. It was an advanced persistent threat that the organization was dealing with. However, several things have come to light in the aftermath.

First of all, the malware hack took advantage of a known outlook exploit, and one workstation was still operating an outdated version that had not been patched to deal with the issue. On top of that, part of the attack also took advantage of one local administrator using the easily deciphered password of ‘[email protected]’. Large quantities of queries to the database were made once the attackers were in as well. This is normally a red flag that something might be up in your system, but this was not spotted.

In fact, it is this slow response and realization that has landed both organizations in particularly hot water.

Fines for Singapore healthcare data breach

The Singapore healthcare data breach has resulted in a S$250,000 ($184,000) fine for SingHelath and S$750,000 ($553,000) for IHIS. By far the biggest penalties dished out in Singapore’s history for cyber security inadequacies. PDPC said:

“SingHealth personnel handling security incidents was unfamiliar with the incident response process, overly dependent on IHIS, and failed to understand and take further steps to understand the significance of the information provided by IHIS after it was surfaced.

“Even if organizations delegate work to vendors, organizations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers.”

The trend continues: data breach fines are becoming more and more common around the world. When you get cyber security wrong, you don’t just pay the price of the hack, you pay the price of a fine afterwards.