SINGAPORE: The "most serious breach of personal data” in Singapore’s history took place last month, with 1.5 million SingHealth patients’ records accessed and copied while 160,000 of those had their outpatient dispensed medicines’ records taken, according to the Ministry of Health and Ministry of Communications and Information.
Among those affected was Prime Minister Lee Hsien Loong, with the attackers “specifically and repeatedly targeting” his personal particulars and information of his outpatient dispensed medicines, the ministries said in a joint release on Friday (Jul 20).
Several other ministers were also affected, including Emeritus Senior Minister Goh Chok Tong.
The personal data taken from the 1.5 million patients include their names, NRIC numbers, address, gender, race and date of birth, the release said, adding that the hackers did not amend or delete the records.
Patients’ medical records, including past diagnosis, doctors’ notes and health scans, were not affected.
“We have not found evidence of a similar breach in the other public healthcare IT systems,” they said.
At a news conference on Friday, Health Minister Gan Kim Yong apologised to patients affected. Calling the attack "unprecedented", Mr Gan said: "I'm deeply sorry that this has happened ... We must learn from this and emerge stronger and more resilient from this incident."
Also at the conference was Communications and Information Minister S Iswaran who vowed to get to the bottom of the breach.
"I want to assure everyone that the Government takes with utmost seriousness its responsibility of ensuring the security of public sector IT systems and databases," he said.
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) confirmed that the attack was a “deliberate, targeted and well-planned cyberattack” and was not the work of casual hackers or criminal gangs.
Channel NewsAsia understands that authorities have established who might be behind such an attack. There are only a few countries in the world who have the level of sophistication shown during the cyberattack campaign.
"I apologise. We are not able to reveal more because of operational security reasons," CSA chief executive David Koh said at the news conference when asked which country might have been involved.
None of the stolen data has surfaced in the public domain, including that of the prime minister.
"The attackers deliberately, repeatedly and specifically targeted his information and they were able to access and copy the dispensed medication record of Prime Minister Lee Hsien Loong," Mr Koh said.
"It's perhaps best not to speculate what the attacker had in mind," he added in response to a question on why Mr Lee's data was targeted.
In a Facebook post, Emeritus Senior Minister Goh Chok Tong revealed that his non-medical personal particulars with SingHealth had also been stolen.
"Cyber theft is a key risk when going digital. But we cannot stop the digital advance and must strive to build the most secure Smart Nation," he added.
According to MCI and MOH, IHiS database administrators detected unusual activity on one of SingHealth’s IT databases on Jul 4, and acted immediately to stop it. They carried on their investigations, while putting in place additional security measures, the release said.
From Jul 4 to Jul 9, they continued to monitor the network traffic closely before ascertaining it was a cyberattack and alerted superiors. On Jul 10, MOH, SingHealth and CSA were informed and forensic investigations were carried out.
It was found that data was taken out from Jun 27 to Jul 4 this year, and the patient records accessed and copied were from those who visited SingHealth’s specialist outpatient clinics and polyclinics from May 1, 2015, to Jul 4 this year.
CSA ascertained the cyberattackers first accessed the network after breaching a front-end workstation, and managed to get privileged access to the database over time while also showing sophistication in cleaning up their digital footprints when doing so.
SingHealth has since lodged a police report on Jul 12, and police investigations are ongoing. These investigations are separate from those looking into the cyberattack, Channel NewsAsia understands.
Since kicking the cyberattacker out of the system on Jul 4, further attacks were observed but no further data were illegally stolen, the ministries said, adding there was no disruption of healthcare services during the period of the cyberattack and patient care has not been compromised.
STEPPING UP SECURITY
The ministries also said further measures have been introduced to tighten SingHealth’s IT security, including imposing Internet separation policies.
Additional controls on workstations and servers have also been introduced, as well as the resetting of user and systems accounts and installation of more system monitoring controls.
Furthermore, SingHealth will be progressively contacting all patients who visited its clinics and polyclinics during the abovementioned time period to notify them if their data has been stolen.
All patients, whether or not they are affected, will receive an SMS notification over the next five days. They can also proactively access the Health Buddy mobile app or SingHealth website to check if they have been affected, the release said.
MOH has also directed IHiS to conduct a thorough review of the public healthcare system here, with support from third-party experts. Areas of review include cybersecurity policies, threat management processes, IT system controls and organisational and staff capabilities.
Advisories have also been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken, the release added.
COI TO BE CONVENED
Separately, the Minister-in-charge of Cybersecurity S Iswaran on Friday will convene a Committee of Inquiry, to be headed by Mr Richard Magnus, a retired Chief District Judge and member of the Public Service Commission.
More details of its members and terms of reference, as well as when the COI will be held, will be revealed at a later date, MCI said.
Addressing reporters at a news conference, Mr Iswaran said: "Because this incident occurred in the SingHealth IT system and is within the healthcare cluster, that has to be the natural focal point of the COI’s work."
However, to be meaningful it also has to draw lessons or policy recommendations that can be applied to the public sector and potentially the private sector, he added.
Mr Iswaran has also directed CSA to work closely with all 11 keys sectors - energy, water, banking and finance, healthcare, transport, Infocomm, media, security and emergency services and Government - to enhance the security of their critical information infrastructure systems.
The Smart Nation and Digital Government Group has also completed a scan of all government systems and found no evidence of compromise, he said.
There will be a pause in the introduction of new ICT systems in the interim, until their respective reviews have been completed and security posture established, it added.
"We cannot return to the days of paper and pencil but we will take a pause of our various IT-related projects ... to review and strengthen our cybersecurity measures if necessary, before proceeding," Mr Gan said, adding that this includes the National Electronic Health Record project.
There were no further details on which ICT projects will be paused, but these could possibly include SingPass Mobile, Channel NewsAsia understands.
"We will do our utmost to secure our IT systems. However, unfortunately, we cannot completely eliminate the risk of another cybersecurity attack," Mr Iswaran said at the conference. This is due to attackers constantly developing new techniques and probing for fresh weaknesses in IT systems.
"This is an ongoing battle ... however, we must not allow this incident, or any others like it, to derail our plans for a Smart Nation," he added.