SINGAPORE: Starting from this evening and over the next five days, SingHealth will progressively send a text message to each of the 1.5 million patients who visited its specialist outpatient clinics and polyclinics from May 1, 2015 to Jul 4, 2018 to notify them if their medicine records had been illegally extracted or not.
For those with no registered mobile number, a letter will be sent to their address within a week.
AdvertisementThese 1.5 million patients had their non-medical records – including name, NRIC, address and date of birth – illegally accessed and copied in the cyberattack. Of this group, about 160,000 patients had their medicine records leaked.
Those whose medicine records were leaked will be given a specific hotline to call.
No other patient records, such as diagnosis, tests results or doctor’s notes, were breached.
“Patients can also access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident,” the Ministry of Communications and Information (MCI) and Ministry of Health (MOH) said in a joint statement on Friday (Jul 20).
AdvertisementAdvertisementThe cyberrattack, which investigations had confirmed on Jul 10 was “deliberate, targeted and well-planned”, is Singapore’s most serious personal data breach to date. “It was not the work of casual hackers or criminal gangs,” the ministries said.
The Integrated Health Information Systems (IHiS), the technology agency for the public healthcare sector, first detected “unusual activity” on one of SingHealth’s IT databases on Jul 4. Following investigations, it was established that data was extracted from Jun 27 to Jul 4.
Prime Minister Lee Hsien Loong’s personal particulars and outpatient medication data were “specifically and repeatedly” targeted, the ministries said.
SingHealth lodged a police report on Jul 12. Police investigations are ongoing.
Minister-in-charge of Cybersecurity S Iswaran will convene a Committee of Inquiry (COI) to establish the events and contributing factors leading to the cyberattack and the response to the incident, which has “serious public health and safety implications”.
“It will also recommend measures to better manage and secure SingHealth’s and other public sector IT systems against similar cybersecurity attacks in future,” MCI said.
Retired Senior District Judge and Public Service Commission member Richard Magnus will chair the COI, whose composition and terms of reference will be revealed at a “later date”.
STRENGTHENING IT SYSTEMS
Meanwhile, the Government said it will take “immediate action” to strengthen its IT systems against similar attacks.
To that end, Mr Iswaran has directed the Cyber Security Agency of Singapore to work closely with key sectors – including the energy and banking and finance industries – to improve the security of their Critical Information Infrastructure systems.
“The Smart Nation and Digital Government Group (SNDGG) has completed a scan of all Government systems and found no evidence of compromise,” MCI said.
“SNDGG will pause the introduction of new ICT systems while it reviews the cybersecurity measures of Government systems, and implements any additional security safeguards which are necessary.”
On another level, MOH has directed IHiS to conduct a “thorough review” of the public healthcare system with the help of third-party experts to improve cyberattack prevention, detection and response.
Areas of review include cybersecurity policies, threat management processes, IT system controls and organisational and staff capabilities.
“Advisories have been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken,” the ministries said.
“The Government takes a serious view of any cyberattack, illegal access of data or action that compromises the confidentiality of data in Singapore.”
Let's block ads! (Why?)
More...