A total of 1.5 million SingHealth patients’ non-medical personal data were stolen, while 160,000 of those had their dispensed medicines’ records taken too, according to MCI and MOH.
SINGAPORE: The "most serious breach of personal data” in Singapore’s history took place last month, with 1.5 million SingHealth patients’ records accessed and copied while 160,000 of those had their outpatient dispensed medicines’ records taken, according to the Ministry of Health and Ministry of Communications and Information.
Among those affected was Prime Minister Lee Hsien Loong, with the attackers “specifically and repeatedly targeting” his personal particulars and information of his outpatient dispensed medicines, the ministries said in a joint release on Friday (Jul 20).
Several other ministers were also affected, including Emeritus Senior Minister Goh Chok Tong.
The personal data taken from the 1.5 million patients include their names, NRIC numbers, address, gender, race and date of birth, the release said, adding that the hackers did not amend or delete the records.
Patients’ medical records, including past diagnosis, doctors’ notes and health scans, were not affected.
“We have not found evidence of a similar breach in the other public healthcare IT systems,” they said.
At a news conference on Friday, Health Minister Gan Kim Yong apologised to patients affected. Calling the attack "unprecedented", Mr Gan said: "I'm deeply sorry that this has happened ... We must learn from this and emerge stronger and more resilient from this incident."
Also at the conference was Communications and Information Minister S Iswaran who vowed to get to the bottom of the breach.
"I want to assure everyone that the Government takes with utmost seriousness its responsibility of ensuring the security of public sector IT systems and databases," he said.
Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHIS) confirmed that the attack was a “deliberate, targeted and well-planned cyberattack” and was not the work of casual hackers or criminal gangs.
Channel NewsAsia understands that authorities have established who might be behind such an attack. There are only a few countries in the world who have the level of sophistication shown during the cyberattack campaign.
"I apologise. We are not able to reveal more because of operational security reasons," CSA chief executive David Koh said at the news conference when asked which country might have been involved.
None of the stolen data has surfaced in the public domain, including that of the prime minister.
"The attackers deliberately, repeatedly and specifically targeted his information and they were able to access and copy the dispensed medication record of Prime Minister Lee Hsien Loong," Mr Koh said.
"It's perhaps best not to speculate what the attacker had in mind," he added in response to a question on why Mr Lee's data was targeted.
In an Facebook post, Emeritus Senior Minister Goh Chok Tong revealed that his non-medical personal particulars with SingHealth had also been stolen.
"Cyber theft is a key risk when going digital. But we cannot stop the digital advance and must strive to build the most secure Smart Nation," he added.
According to MCI and MOH, IHIS database administrators detected unusual activity on one of SingHealth’s IT databases on Jul 4, and acted immediately to stop it. They carried on their investigations, while putting in place additional security measures, the release said.
From Jul 4 to Jul 9, they continued to monitor the network traffic closely before ascertaining it was a cyberattack and alerted superiors. On Jul 10, MOH, SingHealth and CSA were informed and forensic investigations were carried out.
It was found that data was taken out from Jun 27 to Jul 4 this year, and the patient records accessed and copied were from those who visited SingHealth’s specialist outpatient clinics and polyclinics from May 1, 2015, to Jul 4 this year.
CSA ascertained the cyberattackers first accessed the network after breaching a front-end workstation, and managed to get privileged access to the database over time while also showing sophistication in cleaning up their digital footprints when doing so.
SingHealth has since lodged a police report on Jul 12, and police investigations are ongoing. These investigations are separate from those looking into the cyberattack, Channel NewsAsia understands.