National Healthcare Group fined after personal data of 129 GPs found online

National Healthcare Group fined after personal data of 129 GPs found online

A photo illustration shows a French general practitioner holding a stethoscope in a doctor's o
FILE PHOTO: A photo illustration shows a general practitioner holding a stethoscope in a doctor's office Jan 7, 2015. (Photo: REUTERS/Regis Duvignau)

SINGAPORE: The National Healthcare Group (NHG), which operates several hospitals and polyclinics, has been fined S$6,000 for failing to secure the personal data of some of its partner doctors.

NHG failed to put in place "reasonable security arrangements" to protect the data, according to the grounds of decision by Personal Data Protection Commission (PDPC) Deputy Commissioner Yeong Zee Kin released on Thursday (Jan 9).

It also failed to fix a vulnerability that allowed unauthorised Internet users access to the personal information, even though it knew of the problem for more than a year.

The PDPC said that on Feb 7, 2018, a general practitioner (GP) who had signed up to be a partner doctor with the group stumbled upon a list with the personal information of some of the group's partner doctors while performing a search of her name on Google.

The list included the personal data of 129 GPs who had registered to be partner doctors of the National Healthcare Group through an online form on its website. The data included their NRIC numbers, full names, mobile numbers, mailing addresses, dates of birth and photographs.

The full name and addresses of five members of the public who had submitted feedback on the website, as well as mobile numbers of three of them, was also on the list.

The list should not have been accessible to unauthorised users.

The PDPC said a vendor hired to conduct a penetration test of NHG's website in mid-2016 had flagged unrestricted access to the list through the Internet as a vulnerability.

However, it was left unfixed by the organisation until the GP did a Google search of her name and subsequently notified the organisation.

"According to the organisation, the vulnerability was inadvertently left unfixed as it was not sufficiently highlighted by the vendor in the penetration test report," said the deputy commissioner. 

"This was an unsatisfactory excuse", he said, as the findings and recomendations had been the first item listed on the penetration report. They were also expressed in language accessible to a layperson.

The deputy commissioner cited section 24 of the Personal Data Protection Act, which requires an organisation to protect personal data in its possession or under its control by taking reasonable security steps or arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks.

However, he also noted that NHG had taken "prompt remedial actions" and immediate steps after being notified of the incident on Feb 7, 2018 to notify those affected by the incident, and was fully cooperative during investigations.

Source: CNA/nc(aj)