SINGAPORE: Starting from Friday (Jul 20) evening and over the next five days, SingHealth will progressively send a text message to each of the 1.5 million patients who visited its specialist outpatient clinics and polyclinics from May 1, 2015 to Jul 4, 2018 to notify them if their medicine records had been illegally extracted or not.
For those with no registered mobile number, a letter will be sent to their address within a week.
These 1.5 million patients had their non-medical records – including name, NRIC, address and date of birth – illegally accessed and copied in the cyberattack. Of this group, about 160,000 patients had their medicine records stolen.
Those whose medicine records were stolen will be given a specific hotline to call.
No other patient records, such as diagnosis, tests results or doctor’s notes, were breached.
“Patients can also access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident,” the Ministry of Communications and Information (MCI) and Ministry of Health (MOH) said in a joint statement on Friday (Jul 20).
At a news conference on Friday, Health Minister Gan Kim Yong said affected patients should be looking out for "unusual activities in their emails and various transactions". "If they notice any of this, they can always contact the authorities so that we can follow up," he said.
The cyberattack, which investigations had confirmed on Jul 10 was “deliberate, targeted and well-planned”, is Singapore’s most serious personal data breach to date. “It was not the work of casual hackers or criminal gangs,” the ministries said.
The Integrated Health Information Systems (IHiS), the technology agency for the public healthcare sector, first detected “unusual activity” on one of SingHealth’s IT databases on Jul 4. Following investigations, it was established that data was extracted from Jun 27 to Jul 4.
Prime Minister Lee Hsien Loong’s personal particulars and outpatient medication data were “specifically and repeatedly” targeted, the ministries said.
Emeritus Senior Minister Goh Chok Tong also revealed that his "non-medical personal particulars" with SingHealth had been stolen.
SingHealth lodged a police report on Jul 12. Police investigations are ongoing.
Minister-in-charge of Cybersecurity S Iswaran will convene a Committee of Inquiry (COI) to establish the events and contributing factors leading to the cyberattack and the response to the incident, which has “serious public health and safety implications”.
“It will also recommend measures to better manage and secure SingHealth’s and other public sector IT systems against similar cybersecurity attacks in future,” MCI said.
Retired Senior District Judge and Public Service Commission member Richard Magnus will chair the COI, whose composition and terms of reference will be revealed at a “later date”.
STRENGTHENING IT SYSTEMS
Meanwhile, the Government said it will take “immediate action” to strengthen its IT systems against similar attacks.
To that end, Mr Iswaran has directed the Cyber Security Agency of Singapore to work closely with key sectors – including the energy and banking and finance industries – to improve the security of their Critical Information Infrastructure systems.
“The Smart Nation and Digital Government Group (SNDGG) has completed a scan of all Government systems and found no evidence of compromise,” MCI said.
“SNDGG will pause the introduction of new ICT systems while it reviews the cybersecurity measures of Government systems, and implements any additional security safeguards which are necessary.”
On another level, MOH has directed IHiS to conduct a “thorough review” of the public healthcare system with the help of third-party experts to improve cyberattack prevention, detection and response.
Areas of review include cybersecurity policies, threat management processes, IT system controls and organisational and staff capabilities.
“Advisories have been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken,” the ministries said.
“The Government takes a serious view of any cyberattack, illegal access of data or action that compromises the confidentiality of data in Singapore.”
When asked how the Government will restore public confidence following the massive data breach, Mr Iswaran laid out three measures.
First, steps have been taken to contain the problem and eliminate the risk of further data leaking, he said. Second, the SNDGG has also concluded that there is no evidence of a compromise in other Government IT systems.
"The third is to learn from this in order to put in place additional safeguard measures which may be necessary in order to forestall future cyberattacks of this nature," he added.
"At the same time, the COI’s work will also inform that process, and I think we may be able to yield some additional insights as to what we may need to do in order to further secure IT systems in the Government."