The PDPC found that the hospital failed to implement reasonable security arrangements to protect the leaked personal data from the risk of unauthorised access and disclosure.

Farrer Park Hospital should have put in place stronger measures to manage its marketing department’s work email accounts because it received and processed sensitive personal data of a large volume daily, the commission added.

Such measures can include enhanced access controls for the department’s web-mail access, a separate web portal for the department to collect sensitive medical information, and processes to regularly move such information from the email accounts to a more secure system.

While the PDPC noted that the automatic forwarding of emails in Microsoft Office 365 is a known security risk, it gave the hospital the benefit of the doubt that a lack of guidelines, standards and benchmarks may have affected its assessment of the risks.

“However, there must be no doubt that failure to make reasonable assessment of the risks from email auto-forwarding within an organisation is breach of the Protection Obligation that would, in future cases, be met with the appropriate enforcement action,” the commission added.

In deciding what financial penalty to impose, the PDPC considered some mitigating factors.

After the breach came to light, the hospital took immediate remedial actions and fully cooperated during investigations.

It also had various security measures in place before the data was leaked, and conducted data protection and cybersecurity training for its employees.

The remedial actions it took were:

Disabling the auto-forwarding feature for end-users

Increasing the frequency of internal cybersecurity training and exercises

Implementing additional technical email and network security measures

Refreshing and upgrading its existing network security measures

The hospital, in seeking a smaller penalty, said that it appointed a private forensic expert who had monitored the Internet and dark web from February to April 2020 and did not find any unauthorised disclosure of the personal data involved.

The hospital also did not receive any complaints from the affected individuals.

However, the PDPC said the lack of evidence of further exploitation, use or disclosure did not merit a reduction of the penalty.

In response to CNA's queries, Dr Timothy Low, chief executive officer of Farrer Park Hospital, said it immediately addressed the data breach in 2019 and informed all affected patients.

Dr Low added: “The privacy, safety and wellbeing of our patients continue to be our utmost priority and we are committed to protecting their personal data at Farrer Park Hospital.

"We have since strengthened our IT security measures and increased the frequency of cybersecurity training and exercises internally.

"Please be assured that there was no impact on our hospital operations. We take this incident very seriously and deeply regret the inconvenience caused to the affected patients."

On Oct 1 this year, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.

Previously, organisations that violate the Personal Data Protection Act would face a financial penalty of up to S$1 million.