SINGAPORE: Personal data and clinical information of 73,466 patients were affected in a cyberattack on private practice Eye & Retina Surgeons earlier this month, with the root causes of the incident under investigation.
The affected data included patients' names, addresses, identity card numbers, contact details and clinical information. No credit card or bank account information was accessed or compromised, the specialist eye clinic said in a press release on Wednesday (Aug 25).
The "illegal and sophisticated ransomware cyberattack" was carried out by an unknown party on Aug 6, said the clinic.
It affected servers and several computer terminals at the clinic's branch in Camden Medical. The IT system at the clinic's branch in Mount Elizabeth Novena Specialist Centre was not affected.
"To optimise data security, (Eye & Retina Surgeons) maintains segregated networks and active medical records are maintained separately on a cloud-based system and thus were not accessed or compromised," the clinic added.
None of the practice's clinical operations were affected, and its IT systems have been securely restored, it said.
The clinic said there has been no known release of sensitive data into the public domain to date, and that it will continue to monitor the situation closely.
"Patients are now being progressively informed of this cyber-incident," it added
The incident has been reported to the police, the Personal Data Protection Commission and the Singapore Computer Emergency Response Team (SingCERT).
Eye & Retina Surgeons said that its IT team has been working closely with the Cybersecurity Agency of Singapore (CSA) and the Ministry of Health (MOH) to investigate the root causes of the incident.
"All necessary measures to prevent a recurrence of this breach will be taken," said the clinic, adding that it was working with cybersecurity experts and authorities to identify any potential areas in its IT systems that can be further secured.
"(Eye & Retina Surgeons) regrets this breach and wishes to assure its patients that it takes patient confidentiality very seriously," the clinic said.
NO CONNECTION TO NATIONAL ELECTRONIC HEALTH RECORD: MOH
In a separate statement, the Health Ministry said it was informed of a ransomware attack affecting Eye & Retina Surgeons' clinic server and clinic management system on Aug 16. The clinic lodged a police report on Aug 13, it added.
"The clinic's compromised IT systems are not connected to MOH's IT systems, such as the National Electronic Health Record, and there have been no similar cyberattacks on MOH's IT systems," the ministry said.
It added that it has asked the clinic to investigate, thoroughly review its systems and work with CSA to take immediate actions to strengthen its cyber defence.
"The Government takes a serious view of any cyberattack, illegal access of data or action that compromises the integrity, confidentiality and availability of data and IT systems in Singapore," said the ministry.
MOH cited the Private Hospitals and Medical Clinics Regulations, which states that all licensees shall implement adequate safeguards to protect medical records and monitor and evaluate those safeguards, as well as the Healthcare Cybersecurity Essentials guidelines.
"Following this incident, MOH will be reminding all its licensed healthcare institutions to remain vigilant, strengthen their cybersecurity posture, and ensure the security and integrity of their IT assets, systems, and patient data," said the ministry.
"It is only through the disciplined maintenance of a safe and secure data and IT system that healthcare professionals will be able to deliver accurate and appropriate care, and uphold patient safety."