Third-party data breach in Singapore hits healthcare provider

Fullerton Health says its third-party vendor, which platform facilitates appointment booking, had suffered a security breach first detected on October 19 that compromised patients' personal data, including name and contact details as well as bank account information.
Written by Eileen Yu, Senior Contributing Editor

Another third-party security breach has been reported in Singapore, this time, affecting patients of Fullerton Health and compromising personal data that included bank account details in "a few cases". The affected vendor Agape Connecting People, which platform facilitates appointment booking, first detected the breach on October 19 and appeared to affect only Fullerton Health. 

The healthcare services provider said none of its own IT systems, network, and databases were impacted by the breach. It filed reports with both the police and Personal Data Protection Commission, which oversees Singapore's Personal Data Protection Act

Agape first detected the intrusion on October 19 and "acted immediately" to isolate and suspend use of the system, the vendor said in a statement Monday. 

"None of our core infrastructure has been compromised," it said, adding that the breach "appears" to be limited to Fullerton Health. However, it noted that it still was in the process of confirming that no other clients were affected. 

Describing itself as a social enterprise, Agape operates a contact centre to provide employment for the disadvantage, including inmates, physically disabled, ex-offenders, and single mothers. It has a capacity of more than 250 seats and aims to support 1,000 disadvantaged individuals by 2022.

Agape said it was working with cybersecurity experts to implement "mitigating action" to minimise further impact from the breach. 

Fullerton Health said on October 21 it was alerted "a few days ago" that its customer personal data could have been exposed and initiated an investigation. It found that an unauthorised party had gained access to a server used by Agape, compromising personal data of patients with whom Agape had assisted in making appointments.

Such details included names, identification numbers, and contact details, as well as bank account details in "a few cases" and "certain limited health-related information". No credit card information or passwords were leaked, Fullerton Health said. The company services corporate clients and their employees, one of whom at least had been confirmed to have their personal data potentially exposed.

Fullerton Health said it still was working to ascertain the number and identity of individuals affected by the breach. Digital forensic and cybersecurity professionals had been roped in to help with its investigations, the healthcare provider said, adding that they also were trying to determine the root cause and full extent of the breach.

"We are conducting a thorough review of our processes and protocols relating to data security and the use of third-party service providers to further strengthen our information security," Fullerton Health said.

It said data relating to COVID-19 vaccinations carried out at its vaccination centres were not compromised, since the information had been stored separately on a system not shared with Agape. 

Singapore has seen a spate of supply chain attacks this past year that compromised personal data of, amongst others, 580,000 Singapore Airlines (SIA) frequent flyers129,000 Singtel customers, and 30,000 individuals in an incident involving job-matching organisation e2i. 

The Singapore Computer Emergency Response Team (SingCERT) last year handled 9,080 cases, up from 8,491 the year before and 4,977 in 2018, with marked increases in ransomware, online scams, ad COVID-19 phishing activities, revealed a July 2021 report released by Cyber Security Agency of Singapore (CSA). 

The number of reported ransomware attacks saw a significant spike of 154% in 2020, with 89 incidents, compared to 35 in 2019. These mostly affected small and midsize businesses (SMBs) in various sectors including manufacturing, retail, and healthcare.  


Editorial standards