Singapore suffers 'most serious' data breach, affecting 1.5M healthcare patients including Prime Minister

Government describes attack as "deliberate, targeted, well-planned" and assures no medical data has been tampered with, but security vendors warn compromised data may end up for sale on the Dark Web.
Written by Eileen Yu, Senior Contributing Editor

Singapore has suffered its "most serious" data breach, compromising personal data of 1.5 million healthcare patients including that of its Prime Minister Lee Hsien Loong.

The affected users are patients of SingHealth, which is the country's largest group of healthcare institutions comprising 42 clinical specialties, four public hospitals, five speciality centres, nine polyclinics, as well as three community hospitals.

Non-medical personal details of 1.5 million patients who visited SingHealth's specialist outpatient clinics and polyclinics between May 1, 2015, and July 4, 2018, had been accessed and copied. The stolen data included patients' name, national identification number, address, gender, race, and date of birth.

In addition, outpatient medical data of some 160,000 patients were compromised, though, the records were not modified or deleted, said the Ministry of Health and Ministry of Communications and Information (MCI), in a joint statement late-Friday.

"No other patient records, such as diagnosis, test results or doctors' notes, were breached [and] we have not found evidence of a similar breach in the other public healthcare IT systems," they said.

The first sign of unusual activities was detected on July 4, 2018, by the Integrated Health Information Systems (IHiS), which is the public healthcare sector's technology agency that is responsible for running local public healthcare institutions' IT systems.

The agency "acted immediately" to stop the illegal activities and implemented "additional cybersecurity precautions", whilst carrying out further investigations on the incident. Six days later, on July 10, IHiS informed the Health Ministry and Cyber Security Agency of Singapore (CSA) it had suffered a cyberattack.

However, while the attack was detected on July 4, it was later established that data "was exfiltrated" from June 27. A police report was filed on July 12 and investigations are ongoing.

In the statement, CSA and IHiS described the attack as "deliberate, targeted, and well-planned".

"It was not the work of casual hackers or criminal gangs. The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong's personal particulars and information on his outpatient dispensed medicines," they said.

No further data was compromised following the discovery on July 4 and IHiS had deployed further measures to tighten the security of SingHealth's IT systems, including temporarily separating internet access from workstations, resetting user and systems accounts, and installing additional system monitoring controls.

CSA said hackers had gained control through breaching a frontend workstation, from which they then were able to obtain privileged account credentials to gain access to SingHealth's database.

Commenting on the attack of his personal data, Lee said in a Facebook post: "I don't know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me. If so, they would have been disappointed. My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it."

The prime minister added that government systems were constant targets and while the goal was to prevent every attack, there also was a need to promptly plug the hole when a breach was discovered and improve the systems.

He noted that a Committee of Inquiry had been set up to further assess the incident and recommend measures to better manage and safeguard SingHealth's as well as other public sector IT systems against similar cybersecurity attacks in future.

Singapore's Smart Nation and Digital Government Group also conducted a scan of all government systems and found no evidence of compromise. In addition, the introduction of new ICT systems had been halted while cybersecurity measures of government systems were being reviewed.

Stolen data may end up sold and used

Meanwhile, cybersecurity vendors have warned that the compromised data may find its way onto the Dark Web.

Paul Ducklin, Sophos' senior technologist, said: "The data stolen in this breach is an identity thief's goldmine. It's a startling reminder to all Singaporeans that there is no such thing as 'cyberattackers would never care about little old me'... Anyone affected in this breach has no choice but to assume that their personal information will end up for sale in the cyber underground, ready for active abuse by cybercrooks."

Leonard Kleinman, RSA's Asia-Pacific Japan chief cybersecurity advisor, said: "Medical data contains a trove of information, from personally identifiable data to financial details, that can be used to create a highly sought-after composite of an individual. As it could contain any amount and level of information, healthcare institutions are among the most sought-after industries by criminals who can be motivated by a multitude of possible reasons.

"On the Dark Web, such data can fetch a high price," Kleinman said, adding that each entry could be sold for $50 to $100 higher than stolen credit card data. Citing data from Ponemon Institute, he noted that a lost or stolen healthcare record could fetch US$408.

He said it could take months after an attack has occurred before the first set of compromised data makes its way onto the black market to be sold and used.

According to Olli Jarva, Synopsys' managing consultant for software integrity, the healthcare sector is especially challenging from a security standpoint because it is a highly heterogeneous environment.

"While healthcare organisations may standardise on laptops and IT servers, providers also manage multiple devices that are attached to the network. These can include drug infusion pumps, imaging devices like MRI and CT scanners, and treatment software such as those used to manage implantable pacemakers," Jarva explained.

"With an extremely heterogeneous environment, systems in different parts of a healthcare organisation may not play well with each other. Like any large organisation, a healthcare organisation may have multiple business or operations units, and each unit may procure software solutions that best meet their needs, but may not have uniform cybersecurity effectiveness."

And while malware might have been used in the initial attack on the workstation, it would take more than having the right malware detection tools to solve the problem, said Francis Prince Thangasamy, CenturyLink's Asia-Pacific vice president of IT services and managed hosting.

With threats evolving so quickly today, it is challenging for one organisation to keep up. And as the healthcare industry, which underwent digital transformation, "the border between networks" also would become "more porous". This would make it tough to track the movement of private patient data, Thangasamy told ZDNet. "The introduction of IoT devices like smartphones, tablets, and healthcare equipment further increase the 'surface of attack'. Only a holistic approach that includes transforming people, process, and technology can improve security postures."

In reviewing its security posture following the breach, Thangasamy urged the Singapore government to recognise that it cannot solve issues on its own. With threats becoming more complex and top malicious traffic hotspots in Asia-Pacific, including China, South Korea, and Vietnam, he said the government should partner "the wider tech and cybersecurity ecosystem".

Singapore, it seems, should not retreat to the dark ages, too.

Lee said: "We cannot go back to paper records and files. We have to go forward to build a secure and smart nation."

Affected patients will be notified by SingHealth and all patients can check if their data has been comprised on its website.

Editorial standards