The Personal Data Protection Commission (PDPC) will impose severe financial penalties on SingHealth and the Integrated Health Information Systems (IHiS) for their lapses during the June and July 2018 cyberattack.

IHiS was fined S$750,000 after investigations found that it had failed to take adequate security measures to protect its data.

SingHealth was also fined S$250,000, as the owner of the patient database system.

SingHealth lapses

Investigations also revealed that SingHealth was at fault for the following:

• SingHealth personnel handling security incidents were unfamiliar with the incident response process.
• SingHealth personnel were overly dependent on IHiS.
• SingHealth personnel failed to understand, and take further steps to understand the significance of the information provided by IHiS, after it was surfaced.

The PDPC also made the point that when organisations delegate their work to vendors, they must ultimately take responsibility for the personal data that they have collected from their customers.

The PDPC also took into account the fact that the attack was the worst in Singapore's history, and the sensitive nature of the data that was accessed.

Worst cyberattack in Singapore's history

The personal information of 1.5 million patients were stolen in the attack, along with the information on outpatient dispensed medicine of 160,000 patients.

Prime Minister Lee Hsien Loong’s personal particulars, as well as information on his outpatient dispensed medicines, were specifically and repeatedly targeted. These were both stolen and copied.

However, PDPC also took into account the willingness of both SingHealth and IHiS to cooperate with the investigations, and the immediate remedial actions that were taken.

IHiS, together with the Cyber Security Agency of Singapore, acted to stop the malicious activity to prevent further loss of data when the breach was discovered on July 4, 2018.

On Jan. 14, IHiS announced they had fired two employees and demoted another, following the Committee of Inquiry report.

IHiS also imposed financial penalties on other employees, including CEO Bruce Liang, in recognition of the responsibility of the leadership.

MPs have raised questions on the matter and it is expected to be addressed in Parliament on Jan. 15. The article will be updated later to reflect the discussion, if any.

Related stories:

Top image adapted from SingHealth screen shot and photo by Martino Tan.