SINGAPORE — Seventy-two accounts on the Health Promotion Board’s (HPB) HealthHub portal were recently accessed without authorisation, prompting authorities here to shut down access to the electronic service for six days early this month.
The HPB and Integrated Health Information Systems (IHiS) said on Thursday (Oct 18) that they discovered the unauthorised log-ins during investigations into unusual activities on HealthHub, a one-stop portal and mobile application for Singaporeans to access their public health records and a range of e-services such as making medical appointments.
The agencies had found “higher than usual attempted log-ins” to the portal on four days – Sept 28, Oct 3, Oct 8 and Oct 9 – using more than 27,000 unique IDs or email addresses.
Although 98 per cent of the email addresses used were not related to HealthHub account IDs – and these attempts were unsuccessful – 72 accounts were successfully logged into.
The affected accounts were then locked, and the users were contacted to inform them that their accounts may have been accessed without authorisation, the HPB and IHiS said in a joint statement.
The suspected hacking attempt came on the heels of a cyber attack on SingHealth in June.
While HealthHub accounts allow users to access their family’s medical records, the agencies noted that the unauthorised log-ins were limited to the basic tier of HealthHub, which contains the user’s self-populated profile and any Healthpoints accumulated through participation in HPB programmes. No personal health records were accessed.
Access to other e-services were not affected, as they require a SingPass password and two-factor authentication, the statement added.
The HPB and IHiS said that no evidence of a breach in the HealthHub system has been found.
The agencies added: “Based on the suspicious volume of email addresses not related to HealthHub account IDs and the repeated attempts, it is likely that the volume of email addresses used had been obtained from external sources.”
The HPB was first alerted when a user suspected her email account had been used without her permission to log in to the portal, and informed HPB.
Access to the mobile app and website e-services of HealthHub were suspended from Oct 9 to Oct 14 as a precaution while the unusual log-in attempts were investigated. Access has since been restored.