1.5M patients' data, including PM Lee Hsien Loong's, stolen in major cyberattack

PM Lee Hsien Loong posing with Ng Hon Wing, his radiographer at the Singapore General Hospital on 10 February, 2016. (PHOTO: Lee Hsien Loong/Facebook)

Information on Prime Minister Lee Hsien Loong’s outpatient dispense medicines as well as personal particulars of about 1.5 million patients were stolen from SingHealth’s database in a recent “deliberate and well-planned cyberattack”, said the Ministry of Health (MOH) and the Ministry of Communications and Information (MCI) on Friday (20 July).

“The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines,” the authorities added in a joint statement.

In response to the announcement, Lee said attackers would be “disappointed” with what they found about him.

I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me,” wrote Lee on his Facebook page. “My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it.”

Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS) have confirmed that the incident was “deliberate, targeted and well-planned”, but the MOH did not specify the attackers, only adding to say that it was “not the work of casual hackers or criminal gangs”.

Of the attackers, Lee said, “Those trying to break into our data systems are extremely skilled and determined. They have huge resources, and never give up trying.”

Lee had battled cancer twice. In 2015, he underwent surgery to remove his cancerous prostate gland and was given the all-clear for prostate cancer. He had another bout with cancer in 1992 arising from intermediate grade malignant lymphoma.

The attackers also illegally accessed and copied data including the name, NRIC number, address, gender, race and date of birth of about 1.5 million patients who visited SingHealth’s specialised outpatient clinics and polyclinics from 1 May 2015 to 4 July.

Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated. The records were not tampered with, and no other patient records, such as diagnosis, test results or doctors’ notes, were breached, the MOH added.

“We have not found evidence of a similar breach in the other public healthcare IT systems,” said the MOH.

As a precaution, the IHiS, with CSA’s support, has implemented further measures to tighten the security of SingHealth’s IT systems.

These include temporarily imposing internet surfing separation, additional controls on workstations and servers, reset user and systems accounts, and installed additional system monitoring controls, with similar measures being put in place for IT systems across the public healthcare sector.

The ministry has also directed IHiS to conduct a thorough review of the Republic’s public healthcare system, with support from third-party experts, to improve cyber threat prevention, detection and response.

“Areas of review will include cybersecurity policies, threat management processes, IT system controls and organisational and staff capabilities. Advisories have been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken,” the MOH said.

The Minister-in-Charge of Cyber Security will establish a Committee of Inquiry to conduct an independent external review of this incident.

Describing it as a “ceaseless effort”, Lee said, “Government systems come under attack thousands of times a day. Our goal has to be to prevent every single one of these attacks from succeeding. If we discover a breach, we must promptly put it right, improve our systems, and inform the people affected.”

“This is what we are doing in this case. We cannot go back to paper records and files. We have to go forward, to build a secure and smart nation.”

From Friday, SingHealth will be progressively contacting all patients who visited its specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July, to notify them if their data had been illegally exfiltrated.

All the patients, whether or not their data were compromised, will receive an SMS notification over the next five days. Patients can also access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.

Background to cyber-attack

On 4 July, the IHiS’ database administrators had detected unusual activity on one of SingHealth’s IT databases.

After acting immediately to halt the activity, the IHiS investigated the incident to ascertain the nature of the activity, while putting in place additional cybersecurity precautions.

A week later, investigations confirmed that it was a cyber-attack, and the MOH, SingHealth and CSA were informed.

The CSA also ascertained that the cyber attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation.

“They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration,” the MOH added.

SingHealth lodged a police report on 12 July. Police investigations are ongoing.

“With heightened monitoring, further malicious activities were observed. However, no further illegal exfiltration has been detected since 4 July,” said the MOH.

“All patient records in SingHealth’s IT system remain intact. There has been no disruption of healthcare services during the period of the cyberattack, and patient care has not been compromised.”

Other Singapore stories:

Assertive Chinese identity due to China’s rise is a threat to Singapore: Bilahari Kausikan

POLL: What should Mindef do about Ben Davis?