SINGAPORE: The Personal Data Protection Commission (PDPC) has slapped a fine of S$750,000 on IHiS and S$250,000 on SingHealth for breaching their data protection obligations under the Personal Data Protection Act (PDPA), it said in a statement on Tuesday (Jan 15).
"PDPC’s investigations into the data breach arising from a cyberattack on SingHealth’s patient database system, found that IHiS had failed to take adequate security measures to protect the personal data in its possession," said the statement.
"PDPC found that the SingHealth personnel handling security incidents was unfamiliar with the incident response process, overly dependent on IHiS, and failed to understand and take further steps to understand the significance of the information provided by IHiS after it was surfaced.
"Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers."
These financial penalties are the highest ever imposed by PDPC to date, the commission said. Both organisations are to pay their fines within 30 days.
READ: COI for SingHealth cyberattacks: Officer took initiative to investigate even though it was not his job
The PDPC's decision took into account the fact that the data breach was the largest breach that Singapore had ever experienced, as well as the sensitive and confidential nature of the patients’ data.
It also factored in that IHiS and SingHealth were "cooperative" throughout the investigations and took immediate remedial actions.
The cyberattack was Singapore’s most serious breach of public data. It saw the records of 1.5 million patients, including their names, NRIC numbers and addresses, along with other information accessed from Jun 28 to Jul 4 last year.
Among the data taken were the medication records of close to 160,000 patients.
READ: If they were looking to embarrass me, they would've been disappointed: PM Lee on SingHealth cyberattackers
Among those affected was Prime Minister Lee Hsien Loong, with the attackers repeatedly targeting his personal particulars and information about his outpatient medications.
SINGHEALTH FULLY COMMITTED TO LEARNING, IMPROVING
Professor Ivy Ng, SingHealth's group chief executive officer, said that SingHealth is "fully committed" to learning and improving from the incident.
"We are making changes to enhance our cybersecurity governance structures and improve management oversight of our critical systems," said Prof Ng in a statement.
"We are also working with IHiS to comprehensively upgrade our cyber defense systems and processes to more effectively guard against cybersecurity risks, as well as to respond in a timely and robust manner to any intrusion.
"We are fully committed to learning and improving from this incident."
SingHealth senior leadership, including its Group CEO, has voluntarily accepted a financial penalty, added SingHealth chairman Peter Seah.
"Patient safety and data confidentiality are the foremost priorities in SingHealth as our patients entrust us with their care and data," he said. "As the owner of the data, we accept responsibility and apologise to our patients for the incident."
WE ARE DETERMINED TO IMPROVE: IHIS
IHiS has "accelerated" a range of cybersecurity measures that are currently being implemented, it said in a press release. Staff engagement and training have also been increased.
“We would like to apologise again to the patients affected by the SingHealth cyberattack," said IHiS chief executive officer Bruce Liang.
"As leaders of IHiS, my senior colleagues and I have collective responsibilities to defend against advanced cyber threats. With the conclusion of the COI (Committee of Inquiry that looked into the cyberattack), IHiS will focus on the formidable tasks ahead ...We are determined to improve as an organisation."