CORRECTION: An earlier version of the story misstated that the CEO of the Integrated Health Information Systems (IHiS) is Ivy Ng. The CEO of IHiS is Bruce Liang. We are sorry for the error.
Two senior managers at the Integrated Health Information Systems (IHiS) have been sacked for being “negligent” and “in non-compliance of orders” during the 2018 SingHealth cyberattack, which contributed to the unprecedented scale of the incident.
Five members of the IHiS senior management, including CEO Bruce Liang, have also been given a “significant financial penalty” for their collective leadership responsibility. A “moderate financial penalty” will be imposed on two middle management supervisors, said the central IT agency for the healthcare sector on Monday (14 January).
In addition, a Cluster Information Security Officer – who was not named but is believed to be Wee Jia Huo – who “failed to comply with IHiS’ incident reporting processes” has been demoted and re-deployed to another role.
An IHiS spokesperson noted that the Security Incident Response Manager – believed to be Ernest Tan – had “persistently held a mistaken understanding of what constituted a ‘security incident’, and when a security incident should be reported”.
“His passiveness even after repeated alerts by his staff resulted in missed opportunities which could have mitigated or averted the effect of the cyber-attack,” added the spokesperson. Consequently, both Tan and a Team Lead in the Citrix Team were told to go. The Team Lead is believed to be Lum Yuan Woh.
“Whilst there was no intent to cause or facilitate the cyberattack, both of them had failed to discharge the responsibilities entrusted on them.”
The terminations are with immediate effect. In response to queries from Yahoo News Singapore, IHiS declined to elaborate on the nature of the financial penalty or to confirm the identities of the terminated staff members.
The worst cyberattack in Singapore’s history
The announcement follows the release of a report last Thursday by a Committee of Inquiry (COI) tasked with looking into the attack. Alongside 16 recommendations on improving the Republic’s cybersecurity landscape, the COI also highlighted lapses by IHiS staff that contributed to the success of the attacker.
The personal particulars of 1,495,364 unique patients – including that of Prime Minister Lee Hsien Loong – were stolen from SingHealth’s database during the cyberattack, which occurred between 27 June and 4 July last year. The data comprised the patients’ demographic records and the dispensed medication records of about 159,000 of them.
Minister-in-Charge of Cybersecurity S. Iswaran and Health Minister Gan Kim Yong will address the report in separate Ministerial Statements during a Parliament sitting on 15 January.
IHiS said that the disciplinary measures were recommended by an independent human resource panel that was appointed to examine the roles, responsibilities and actions of IHiS staff who responded to the attack. It was chaired by an IHiS board director, and included two members from the public and private sectors, with HR and IT experience.
Letters of commendation were also presented to three IHiS staff who were found to be “proactive and demonstrated resourcefulness in managing the cyberattack.”