Breach Notification , Incident & Breach Response , Managed Detection & Response (MDR)

Hackers Grab 1.5 Million Patients' Details in Singapore

'Deliberate' Attack Targeted Prime Minister's Medical Details, Authorities Say
Hackers Grab 1.5 Million Patients' Details in Singapore
Photo: Mac Qin (Flickr/CC)

A major breach in Singapore has exposed personal information for more than 25 percent of the country's residents. But authorities say they believe the "deliberate, targeted and well-planned attack" was principally designed to steal medical information pertaining to the country's prime minister, 66-year-old Lee Hsien Loong.

See Also: Why Active Directory (AD) Protection Matters

The breach exposed data on about 1.5 million patients who visited organizations that are part of SingHealth, which is the island nation's largest healthcare group, health authorities say. SingHealth operates four public hospitals across the island as well as five national specialty centers and nine clinics.

"About 1.5 million patients who visited SingHealth's specialist outpatient clinics and polyclinics from May 1, 2015, to July 4, 2018, have had their non-medical personal particulars illegally accessed and copied," according to a joint statement issued by Singapore's Ministry Of Communications as well as the Information and Ministry of Health.

"The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong's personal particulars and information on his outpatient dispensed medicines."

Exposed data includes each victim's name, National Registration Identity Card number, address, gender, race and date of birth (see Singapore Considers Limiting Use of NRIC Numbers).

"Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated," authorities say. "No other patient records, such as diagnosis, test results or doctors' notes, were breached. We have not found evidence of a similar breach in the other public healthcare IT systems."

Authorities say that none of the exposed data was tampered with, meaning that the health records being stored by SingHealth remain intact.

Singapore's national Cyber Security Agency says attackers gained access after breaching a SingHealth workstation, although it didn't specify how exactly the attacker did so. "CSA has ascertained that the cyberattackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation," authorities say. "They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration."

Suspected Target: Prime Minister

The attack "was not the work of casual hackers or criminal gangs," according to the joint statement issued by the Ministry Of Communications and the Information and Ministry of Health.

"Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) confirmed that this was a deliberate, targeted and well-planned cyberattack," according to the statement. "The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong's personal particulars and information on his outpatient dispensed medicines."

In a Friday blog post, Loong writes: "When SingHealth digitized its medical records, they asked me whether to computerize my own personal records too, or to keep mine in hardcopy for security reasons. I asked to be included. Going digital would enable my doctors to treat me more effectively and in a timely manner. I was confident that SingHealth would do their best to protect my patient information, just as it did for all their other patients in the database. Of course, I also knew that the database would be attacked, and there was a risk that one day despite our best efforts it might be compromised. Unfortunately that has now happened."

Data Exfiltrated Over 8-Day Period

Health authorities say the breached data was exfiltrated from June 27 until July 4, which is when "IHiS's database administrators detected unusual activity on one of SingHealth's IT databases."

By July 10, authorities say that investigators confirmed that SingHealth had suffered a cyberattack, at which point SingHealth, the Ministry of Health as well as the CSA were informed. SingHealth filed a police report on July 12.

On Friday, SingHealth said it began to contact all patients who visited its facilities between May 1, 2015, and July 4, 2018. It says it will notify each patient regardless of whether their information was exposed. "All the patients, whether or not their data were compromised, will receive an SMS notification over the next five days," authorities say. "Patients can also access the Health Buddy mobile app [developed by SingHealth] or [the] SingHealth website to check if they are affected by this incident."

Public Healthcare IT Operator Bolsters Security

Following the breach discovery, Singapore's Integrated Health Information System, the technology agency for the country's public healthcare sector that runs its IT systems, has added further security controls designed to better lock down SingHealth's IT systems. "These include temporarily imposing internet surfing separation" on all of SingHealth 28,000 employees, authorities say..

Surfing separation refers to employees being unable to browse websites on systems that store health data. Instead, they must use specially provided PCs, laptops or tablets, or their own mobile devices, to browse the internet.

"They have also placed additional controls on workstations and servers, reset user and system accounts, and installed additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector against this threat," authorities say.

SingCERT Urges Encryption, Data Minimization

In the wake of the breach, the Singapore Computer Emergency Response Team has urged all organizations to review their information security practices, policies and procedures, especially around data security, data minimization and how they handle personally identifiable information.

"Ensure that any sensitive data is encrypted, and limit access of employees and other stakeholders by their roles. Passwords that are stored should be encrypted," SingCERT says in a Friday alert.

"Companies should review their data retention policies on the duration and the types of PII data that should be stored," SingCERT adds. "To further limit data exposure, companies are advised to purge customer's PII if it is not required anymore, such as accounts which have been terminated."

Smart Nation Pause

The Strait Times reports that following the breach, the country's Smart Nation initiative has been temporarily halted (see Hardware Flaws Delay Smart Nation Projects in Singapore).

"All of Singapore's Smart Nation plans, including the mandatory contribution to the National Electronic Health Record (NEHR) project - which enables the sharing of patients' treatment and medical data among hospitals here - have been paused," it reports.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.