The Ministry of Communications and Information (MCI) revealed (Jul 20) at a joint press briefing with Ministry of Health (MOH) that between May 1 2015 and July 4 2018, 1.5 million patients who visited SingHealth's specialist outpatient clinics and polyclinics had their non-medical personal particulars (name, NRIC number, address, gender, race, and date of birth) illegally accessed and copied.

Data exfiltrated

MCI further said that information on outpatient dispensed medicines of about 160,000 patients was "exfiltrated" (stolen).

In particular, Prime Minister Lee Hsien Loong's personal particulars and information on his outpatient dispensed medicines were "specifically and repeatedly" targeted. His dispensary records were copied out.

The attack is said to be "deliberate, targeted and well-planned" and it was "not the work of casual hackers or criminal gangs".

This was a point that was repeated several times at the press briefing, by David Koh, the Chief Executive of the Cyber Security Agency.

Answering queries from the media, the authorities said that they know the origin country of the attack but will not reveal it for operational security reasons.

Committee of Inquiry formed

MCI said that this incident had "serious public health and safety implications."

It said that Minister-in-Charge of Cybersecurity, S Iswaran, would convene a Committee of Inquiry (COI) with Richard Magnus, a retired Senior District Judge and member of the Public Service Commission, chairing the COI.

With reference to the attack, Iswaran said, "This is the most serious breach ever ... we will get to the bottom of this."

When questioned by media whether other Cabinet Ministers had their data stolen, Iswaran said, "You asked about the other Ministers. Our priority is to ensure all the records of SingHealth is safeguarded."

Health Minister Gan Kim Yong said that he would extend his full support to help Iswaran with the COI. Gan added, "This is a very serious and unprecedented, massive cyberattack on the healthcare system."

According to MCI, "the COI will establish the events and contributory factors leading to the cybersecurity attack, and the incident response. It will also recommend measures to better manage and secure SingHealth's and other public sector IT systems against similar cybersecurity attacks in future."

MCI will announce the COI’s composition and the terms of reference at a later date.

Iswaran noted that the COI will have both public and private hearings.

Government strengthening IT Systems

In light of the attack, MCI said that the Government "will take immediate action to strengthen our IT systems against similar cybersecurity attacks."

The Cyber Cecurity Agency will work closely with all 11 key sectors to enhance the cybersecurity of their Critical Information Infrastructure systems.

According to MCI, a scan of all government systems found no evidence of compromise. Introduction of new ICT systems in the government will be paused while cybersecurity measures of government systems are reviewed.

MCI said that this attack will not derail any plans to transform Singapore into a Smart Nation and that the authorities will "learn from the experience of this deliberate and sophisticated cybersecurity attack, and implement measures to better secure our public sector IT systems and databses, and uphold public trust in our systems."

[related_story]