Feb 19 2019 | by OrionW
In what the Personal Data Protection Commission (PDPC) called “the worst breach of personal data in Singapore’s history”, the PDPC imposed penalties of S$250,000 on Singapore Health Services Pte Ltd (SingHealth) and S$750,000 on Integrated Health Information Systems Pte Ltd (IHiS). The case involved a breach of section 24 (Protection Obligation) of the Personal Data Protection Act 2012 after a hacker exfiltrated almost 1.5 million patients’ personal data and 159,000 patients’ outpatient prescription records.
SingHealth is one of the corporatised healthcare institutions through which the Singapore government provides public healthcare services. IHiS is the central national agency designated by the Ministry of Health (MOH) to be responsible for maintaining and securing the public healthcare sector’s IT systems. As SingHealth’s data intermediary, IHiS processed personal data on SingHealth’s behalf.
The PDPC ruled that SingHealth failed to comply with the Protection Obligation when its chief information security officer (CISO) failed to adhere to SingHealth’s IT security incident reporting processes even after being informed of multiple failed attempts to access SingHealth’s patient database using invalid credentials. The PDPC also ruled that SingHealth devoted insufficient resources to oversee its IT systems as it only had one employee (i.e., the CISO) with a portfolio specific to security even though it possesses large databases of sensitive medical personal data. The PDPC found that these issues signify a systemic failure in SingHealth’s compliance with the Protection Obligation.
In the case of IHiS, the PDPC ruled that it did not develop any written policy on IT security incident reporting for its non-security staff and failed to provide sufficient training for its staff to fully comprehend its procedure and framework for security incidents. Informing staff through emails, circulars, wallpapers and intranet banners about security incident reporting is not sufficient given the large volumes of sensitive personal data which IHiS was processing; there should be centrally-stored policies which staff could later refer to.
In addition, IHiS had several other security missteps: among others, it did not use relevant software firewalls (even though it informed SingHealth that its software firewall rules had been implemented), it had weak local administrator passwords which have not been changed in 5 years, it stored user passwords in cleartext and it did not have sufficient processes in place to detect and disable dormant accounts.
It is critical to note that even as IHiS is an MOH-designated data intermediary for SingHealth, both organisations are obligated to comply with the Protection Obligation. Despite engaging IHiS to protect personal data in its database, SingHealth still has the primary responsibility to ensure that there are sufficient security arrangements in place to protect patients’ personal data.