Singapore’s Giant Healthcare Hack

In the worst cyber-attack in Singapore’s history, hackers broke into the computers of SingHealth, the Republic’s largest public healthcare group, and scooped up personal information on 1.5 million patients in June 2018. Of these, 160,000 people, including Prime Minister Lee Hsien Loong and a few ministers, had their outpatient prescription information stolen as well. At a press conference on July 20th, the authorities said that the attackers “specifically and repeatedly” targeted data on PM Lee.

Mr David Koh, chief executive of the Cyber Security Agency of Singapore, said: “The attack was a deliberate, targeted and well-planned cyber-attack.” He ruled out casual hackers and criminal gangs, but refused to be drawn on who might be behind the attacks. Cybersecurity experts commented that, given the nature of the attacks, these were likely to be state-organised or sponsored, with just a few key countries such as China, Russia and the United States having the capacity to mount such a sophisticated attack.

A Committee of Inquiry (COI) will be convened to establish the events that led to the breach and recommend measures to better secure public sector IT systems.

Database administrators of the Integrated Health Information Systems first detected unusual activity on July 4, and acted immediately to halt the activity. However, subsequent investigations established that hackers had breached the system a week earlier, on June 27.

In that time, the attackers took records of patients who visited nine SingHealth institutions from May 1, 2015, to July 4 this year. The institutions include Singapore General Hospital, Changi General Hospital and SingHealth’s network of polyclinics.
What specific information the hackers were after was unclear, although experts said the damage could well have been worse.
For the bulk of the 1.5 million patients, the data taken includes personal details like names, identity card numbers and addresses, and demographic information like a patient’s gender, race and date of birth. Credit card numbers and mobile phone numbers were unaffected.

While the hackers copied information on medicine dispensed to 160,000 outpatients, they did not tamper with these records nor gain access to more detailed medical records like diagnosis, test results or doctors’ notes.

Still, the aftermath of the breach will be far-reaching. For a start, all new Smart Nation projects will be paused as the Smart Nation and Digital Government Group reviews the cyber-security measures of government systems and implements any necessary safeguards.

The introduction of a new Singaporean law scheduled later this year, to make all healthcare institutions contribute data to the National Electronic Health Record, will be postponed.