Farrer Park Hospital fined S$58,000 over data breach affecting medical information of 2,000 people

SINGAPORE: Farrer Park Hospital has been fined S$58,000 over a data breach that led to the confidential medical information of almost 2,000 people being automatically forwarded to a third party.

In a judgment dated Sep 15 and released on Friday (Nov 18), the Personal Data Protection Commission (PDPC) gave more details about the breach and its decision to impose the financial penalty on the private hospital.

The leak happened over a span of almost two years — between March 8, 2018 and Oct 25, 2019. The hospital notified the commission about the breach in July 2020 after receiving a complaint in October 2019.

Among the 3,539 past, present or prospective patients whose personal data was leaked, 1,923 people had their medical information disclosed as well.

Farrer Park Hospital claimed that none of the data was misused, but the PDPC did not accept this as a factor in reducing the penalty.

WHAT HAPPENED

A total of 9,271 emails had been automatically forwarded from two Farrer Park Hospital employees' Microsoft Office 365 work email accounts to a third party’s email address.

These employees worked in the marketing department, which processed requests for the hospital’s medical services via email. They could log into their email via a web browser.

The requests contained personal data pertinent to prospective patients’ medical treatments, including their names, genders, National Registration Identity Card numbers, passport details, contact numbers and medical information.

The medical information included health condition(s), diagnosis, medical history and medical reports such as X-rays.

When the first instance of data breach happened in March 2018, the hospital had not implemented multi-factor authentication, which required staff to key in a one-time password sent to their registered mobile number when accessing their work email accounts from a new device.

On Oct 24, 2019, the hospital’s IT help desk received a complaint that one of the marketing employees’ email accounts could not send outgoing emails.

While checking on the complaint, the help desk discovered that Office 365 had automatically imposed restrictions on the email accounts as part of a security feature due to unauthorised access.

Further investigations confirmed that the email accounts had been configured to automatically forward all incoming emails to the third party, which was not identified in Friday’s judgment.

The PDPC found that the hospital failed to implement reasonable security arrangements to protect the leaked personal data from the risk of unauthorised access and disclosure.

Farrer Park Hospital should have put in place stronger measures to manage its marketing department’s work email accounts because it received and processed sensitive personal data of a large volume daily, the commission added.

Such measures can include enhanced access controls for the department’s web-mail access, a separate web portal for the department to collect sensitive medical information, and processes to regularly move such information from the email accounts to a more secure system.

While the PDPC noted that the automatic forwarding of emails in Microsoft Office 365 is a known security risk, it gave the hospital the benefit of the doubt that a lack of guidelines, standards and benchmarks may have affected its assessment of the risks.

“However, there must be no doubt that failure to make reasonable assessment of the risks from email auto-forwarding within an organisation is breach of the Protection Obligation that would, in future cases, be met with the appropriate enforcement action,” the commission added.

In deciding what financial penalty to impose, the PDPC considered some mitigating factors.

After the breach came to light, the hospital took immediate remedial actions and fully cooperated during investigations.

It also had various security measures in place before the data was leaked, and conducted data protection and cybersecurity training for its employees.

The remedial actions it took were:

• Disabling the auto-forwarding feature for end-users
• Increasing the frequency of internal cybersecurity training and exercises
• Implementing additional technical email and network security measures
• Refreshing and upgrading its existing network security measures

The hospital, in seeking a smaller penalty, said that it appointed a private forensic expert who had monitored the Internet and dark web from February to April 2020 and did not find any unauthorised disclosure of the personal data involved.

The hospital also did not receive any complaints from the affected individuals.

However, the PDPC said the lack of evidence of further exploitation, use or disclosure did not merit a reduction of the penalty.

In response to CNA's queries, Dr Timothy Low, chief executive officer of Farrer Park Hospital, said it immediately addressed the data breach in 2019 and informed all affected patients.

Dr Low added: “The privacy, safety and wellbeing of our patients continue to be our utmost priority and we are committed to protecting their personal data at Farrer Park Hospital.

"We have since strengthened our IT security measures and increased the frequency of cybersecurity training and exercises internally. 

"Please be assured that there was no impact on our hospital operations. We take this incident very seriously and deeply regret the inconvenience caused to the affected patients."

On Oct 1 this year, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.

Previously, organisations that violate the Personal Data Protection Act would face a financial penalty of up to S$1 million.