SINGAPORE: Multiple unauthorised log-in attempts were detected on the Health Promotion Board's (HPB) HealthHub portal over four days, the statutory board said on Thursday (Oct 18).
HPB said it conducted an investigation after it received feedback from a user who suspected that her email account had been used without her authorisation to log in to the portal.
It found a "higher than usual" number of attempted log-ins on four days - Sep 28, Oct 3, Oct 8 and Oct 9. The attempts were made with more than 27,000 unique IDs and emails.
Although 98 per cent of the email addresses used were not related to existing HealthHub accounts and the log-in attempts were unsuccessful, 72 accounts were successfully logged in during those time periods.
"Based on the suspicious volume of email addresses not related to HealthHub account IDs and the repeated attempts, it is likely that the volume of email addresses used had been obtained from external sources," HPB said in its statement.
No evidence of a breach in the HealthHub system has been found, it added.
The HealthHub portal is owned by HPB and operated by Integrated Health Information Systems (IHiS), which runs the IT systems of all public healthcare systems in Singapore.
The unusual log-in attempts and access were limited to the basic tier of HealthHub, which contains a user's profile, as well as Healthpoints accumulated through participation in HPB programmes. Other e-services require a SingPass and two-factor authentication, and were unaffected, HPB said.
The 72 accounts that were successfully logged in were subsequently locked. HPB has contacted the account holders to inform them of the suspicious activity, and to check if they had made the attempts themselves.
Access to HealthHub e-services and the mobile app were suspended from Oct 9 to Oct 14 as a precautionary measure, and has since been restored, HPB said.
Mr Steven D'sa, director of Southeast Asia at FireEye, said that the firm regularly observes attackers trying to use passwords from breaches against other services.
"So it's important to use strong, unique passwords on all your accounts," he said.
READ: If they were looking to embarrass me, they would've been disappointed: PM Lee on SingHealth cyberattackers
In June, the Singapore health system was hit by the "most serious breach of personal data” in the country's history. About 1.5 million SingHealth patients’ records were accessed and copied while 160,000 of those had their outpatient dispensed medicines’ records taken.
Among those affected was Prime Minister Lee Hsien Loong, with the attackers “specifically and repeatedly targeting” his personal particulars and information of his outpatient dispensed medicines. Several other ministers were also affected, including Emeritus Senior Minister Goh Chok Tong.
The personal data taken from the 1.5 million patients included their names, NRIC numbers, address, gender, race and date of birth.
The Committee of Inquiry looking into the SingHealth cyberattack found that the exploited server had not been updated for more than a year at the time.