At least 27,000 unusual log-in attempts detected on Singapore HealthHub portal

PHOTO: Getty Images

More than 27,000 unusual attempts at log-ins to the HealthHub portal have been detected, after a user raised the alarm over an unauthorised use of her e-mail account to log-in to the portal.

In a joint statement on Thursday (18 October), the Health Promotion Board (HPB) and Integrated Health Information Systems (IHiS) said that investigations revealed higher-than-usual attempted log-ins to HealthHub over four days in September and October.

The attempts were made with more than 27,000 unique IDs/e-mails. Seventy-two accounts were successfully accessed during the four days.

“Based on the suspicious volume of email addresses not related to HealthHub account IDs and the repeated attempts, it is likely that the volume of email addresses used had been obtained from external sources. No evidence of a breach in the HealthHub system has been found,” said the statement.

The agencies added that unusual log-in attempts and access were limited to the basic tier of HealthHub. This contains the user’s self-populated profile and any Healthpoints accumulated through participation in HPB programmes.

“Access to other e-services requires SingPass and 2-factor authentication, and was not affected.”

To protect the 72 HealthHub accounts, their accounts were locked. HPB also contacted each of the account holders to check if they had made the log-ins themselves, according to the statement.

The agency also provided advice on how they could unlock their accounts and reset the passwords.

Access to the HealthHub mobile application and HealthHub website e-services were suspended from October 9 to 14, while the unusual log-in attempts were investigated.

Access to the HealthHub mobile application and website e-services has since been restored.

Launched in 2015, HealthHub is one-stop health portal and app that enables you to access your health records and make medical appointments, among others. The HealthHub portal is owned by HPB and operated by IHiS, the central IT agency for the healthcare sector.

HealthHub users who wish to make enquiries on their account can contact HPB at 1800 225 4482 or HPB_HealthHub@hpb.gov.sg.

The HealthHub incident comes in the wake of the SingHealth cyberattack in June and July, when the personal particulars of 1,495,364 unique patients – including that of Prime Minister Lee Hsien Loong’s – were stolen from SingHealth’s database.

A Committee of Inquiry has been appointed to look into the SingHealth cyberattack. It concluded its tranche of hearings earlier in October and will resume its hearings later this month.

Related stories

SingHealth cyberattack: Database administrator did not immediately recognise ‘serious security incident’

SingHealth cyberattack: Suspected malware incident in January not reported

Initial responses to SingHealth cyberattack ‘piecemeal and inadequate’: Solicitor-General