SingHealth sends text messages to patients affected by data breach

Singapore healthcare group says it has sent out SMS messages to more than 700.000 patients impacted by the security breach, while warning of fake ones alleging patients' financial data had been leaked.
Written by Eileen Yu, Senior Contributing Editor

A day after announcing it was a target of Singapore's most severe data breach, SingHealth says it has notified more than 700,000 patients impacted by the security incident.

The Singapore healthcare group said it had sent out SMS notifications to the patients, who had visited its specialist outpatient clinics and polyclinics between May 1, 2015, and July 4, 2018. It added that all patients who had visited healthcare institutions under SingHealth would receive SMS notifications informing them of the security breach.

Hours earlier, it also issued a warning on its Facebook page that fake SMS messages had been sent to some people, alleging that their financial details had been accessed as a result of the SingHealth breach.

It reiterated its earlier statement that no financial details, phone numbers, or other patient medical records had been illegally accessed.

SingHealth on Friday revealed that non-medical personal details of 1.5 million patients had been accessed and copied, including patients' name, national identification number, address, gender, race, and date of birth. In addition, outpatient medical data of some 160,000 patients were compromised, though, the records were not modified or deleted.

In what is, to date, Singapore's most serious data breach and suspected to be the work of state actors, authorities have described the cyberattack as "deliberate, targeted, and well-planned".It also has caused much anxiety amongst patients impacted by the breach.

Several had expressed their frustration on SingHealth's Facebook page, pointing to the healthcare provider's SMS notification that stated "no action was needed" on the users' part.

One affected patient wrote: "Am I to feel assured that someone out there now has all my particulars, including my NRIC number, date of birth, and residential address--all of which are commonly used to confirm my identity when making phone enquiries through banks and government statutory boards?"

Another noted: "Actually, I think NRIC, gender, race, address are more important than medical history. I am flustered as I am not sure what the perpetrators will use this information for."

In response, SingHealth apologised for the anxiety caused and attempted to ease concerns. "Generally, information on basic personal particulars, such as those that have been illegally accessed, are not sufficient to complete any financial or key government e-transactions as such transactions would require physical verification or two-factor authentication online verifications," it said. "However, you are advised to heighten online vigilance and secure your online credentials with strong passwords."

It added that affected patients who believed they might have fallen victim to scams should contact the police helpline.

SingHealth also pointed to its website and Health Buddy mobile app for patients who wished to check if their personal data had been impacted by the breach--of which, some 139,000 patients already had done so since the security incident came to light. Another 4,800 calls were made to its helpline and 750 e-mail had been sent, with enquiries about the cyberattack.

The healthcare provider added that 150,000 patients who did not register their mobile numbers with SingHealth would receive letters by mail within a week, informing them about the security breach.

Editorial standards