1.5m patient particulars stolen from SingHealth in "well-planned" attack, PM Lee's included

Here's what you need to know.

Jeanette Tan | Martino Tan | July 20, 2018, 05:29 PM

What happened?

The database of Singapore's largest group of healthcare institutions, SingHealth, was earlier this month compromised in what Health Minister Gan Kim Yong is describing as a "very serious and unprecedented, massive cyberattack" — the largest-ever in Singapore's history, in terms of the number of particulars stolen.

As a result, the names, IC numbers, addresses, gender, race and dates of birth of some 1.5 million patients — including Prime Minister Lee Hsien Loong and potentially a few other ministers — in SingHealth's database were stolen and copied.

Those affected: anyone who visited SingHealth's specialist outpatient clinics and polyclinics between May 1, 2015 and July 4, 2018.

Of the 1.5 million patients whose personal particulars were obtained, the information of 160,000 patients' outpatient dispensed medicines was also successfully stolen in the attack, which government spokespersons say was a "deliberate, targeted and well-planned" one, not by casual hackers or criminal gangs.

PM Lee’s personal particulars, as well as information on his outpatient dispensed medicines, were specifically and repeatedly targeted. These were both stolen and copied.

However, David Koh, chief executive of the government's Cyber Security Agency of Singapore (CSA), confirmed on Friday that PM Lee's info has not been found to have been used or sold online by anyone yet.

How serious is this?

Very, very. Our ministers are calling it the most serious breach of personal information held by the government, ever. At a Friday afternoon press conference, Health Minister Gan Kim Yong apologised for letting the attack happen under his watch:

“I am deeply sorry that this has happened... I would like to apologise to the affected patients”.

How did it happen?

Photo via SingHealth website. It is not certain that this is the exact type of workstation that was compromised.

The CSA ascertained that the attackers first gained access to SingHealth's system through "a breach on a particular front-end workstation".

They managed to obtain privileged account credentials that gained them access to the database.

The hackers then helped themselves to the data over eight days, between June 27 and July 4, 2018, the latter being the day the breach was first discovered by SingHealth's Integrated Health Information System (IHiS) database administrators.

Fortunately, IHiS, with CSA’s support, acted immediately to halt the malicious activity to prevent further loss of data. They have also implemented further measures to tighten the security of SingHealth’s IT systems by temporarily imposing internet surfing separation.

SingHealth also lodged a police report on July 12. Police investigations are ongoing.


Spokespersons from the Ministries of Health and Communications & Information said further malicious activities were observed "with heightened monitoring", but no further data was stolen after July 4.

The attack was confirmed about a week later (on July 10), and reported to the police on the same day. The Ministry of Health, SingHealth and the CSA were informed as well, after which the CSA commenced its investigations into the attack.

What else is affected?

Even though the aforementioned details were stolen, the government says none were tampered with, modified in any way or deleted.

Apart from the details we listed above, no further data apart from what was initially stated was stolen in the attack. This means:

  • Diagnoses, test results, doctors' notes
  • Billing information
  • Personal and family medical histories (apart from the 160,000 patients' outpatient dispensed medicine)

And any other information kept in SingHealth's, as well as other public healthcare IT systems, has all not been compromised.

The government also made clear that healthcare services were not disrupted or impacted, and patient care has not been affected in any way either.

Who did it?

The government will not reveal this for "operational security reasons", but has indicated that they know who was responsible for the attack.

We understand, however, that it appears to have been the work of people from another country.

How do I know if my information was stolen?

If you are among these 1.5 million patients whose information was stolen, SingHealth will send you a text message over the next five days, starting Friday, July 20.

This message will inform you if your data has been stolen.

You can also check the status of your data proactively on the Health Buddy mobile app, or the SingHealth website, by logging into your account with your SingPass.

And if you don't happen to have a mobile phone number registered in SingHealth's database, SingHealth will send a paper letter to your mailing address.

What's being done now?

The folks at Integrated Health Information System are now conducting a review of Singapore's public healthcare system, with support from third-party experts, in order to improve cyberattack prevention, detection and response. They'll also be looking at policies relating to cybersecurity, threat management, IT system controls and organisation and staff capability.

Advisories have been sent to public and private healthcare institutions to take a series of cybersecurity measures and precautions.

The Minister-in-charge of cyber security, S Iswaran, is convening a Committee of Inquiry to investigate this attack.

More information about this cyberattack:

Top photo by Martino Tan, PM Lee's Facebook page