Data breach by SingHealth and IHiS

Feb 19 2019 | by OrionW

In what the Personal Data Protection Commission (PDPC) called “the worst breach of personal data in Singapore’s history”, the PDPC imposed penalties of S$250,000 on Singapore Health Services Pte Ltd (SingHealth) and S$750,000 on Integrated Health Information Systems Pte Ltd (IHiS).  The case involved a breach of section 24 (Protection Obligation) of the Personal Data Protection Act 2012 after a hacker exfiltrated almost 1.5 million patients’ personal data and 159,000 patients’ outpatient prescription records.

SingHealth is one of the corporatised healthcare institutions through which the Singapore government provides public healthcare services.  IHiS is the central national agency designated by the Ministry of Health (MOH) to be responsible for maintaining and securing the public healthcare sector’s IT systems. As SingHealth’s data intermediary, IHiS processed personal data on SingHealth’s behalf.

The PDPC ruled that SingHealth failed to comply with the Protection Obligation when its chief information security officer (CISO) failed to adhere to SingHealth’s IT security incident reporting processes even after being informed of multiple failed attempts to access SingHealth’s patient database using invalid credentials.   The PDPC also ruled that SingHealth devoted insufficient resources to oversee its IT systems as it only had one employee (i.e., the CISO) with a portfolio specific to security even though it possesses large databases of sensitive medical personal data.  The PDPC found that these issues signify a systemic failure in SingHealth’s compliance with the Protection Obligation.

In the case of IHiS, the PDPC ruled that it did not develop any written policy on IT security incident reporting for its non-security staff and failed to provide sufficient training for its staff to fully comprehend its procedure and framework for security incidents.  Informing staff through emails, circulars, wallpapers and intranet banners about security incident reporting is not sufficient given the large volumes of sensitive personal data which IHiS was processing; there should be centrally-stored policies which staff could later refer to.  

In addition, IHiS had several other security missteps: among others, it did not use relevant software firewalls (even though it informed SingHealth that its software firewall rules had been implemented), it had weak local administrator passwords which have not been changed in 5 years, it stored user passwords in cleartext and it did not have sufficient processes in place to detect and disable dormant accounts.

It is critical to note that even as IHiS is an MOH-designated data intermediary for SingHealth, both organisations are obligated to comply with the Protection Obligation.  Despite engaging IHiS to protect personal data in its database, SingHealth still has the primary responsibility to ensure that there are sufficient security arrangements in place to protect patients’ personal data.

Key takeaways

  • Even if an organisation completely outsources its IT function, that organisation remains liable under the PDPA for the data processing carried out by its data intermediary.  Therefore, the appointing organisation should ensure that it has sufficient and appropriate mechanisms to properly monitor and manage the processing carried out by its data intermediary, taking into account the nature and scope of the personal data being processed.  These mechanisms can include having a staff of appropriate size and skill to manage the organisation’s obligations under the PDPA and having a contract that sets out its data intermediary’s obligations and responsibilities in protecting personal data.

  • To comply with the Protection Obligation, security arrangements must be appropriate and adequate in view of the personal data being processed.  More sophisticated IT security measures (e.g., database access monitoring) must be put in place where sensitive or voluminous personal data are processed.  In any event, security measures should be implemented and enforced, and kept current (e.g., regular deployment of security patches) to protect against external threats.

  • Development of written and easily accessible IT security incident reporting procedures and proper employee training on those procedures are essential to prevent data breaches.
  • Administrative passwords should be strong and changed regularly (e.g., every 3 to 6 months).  User passwords should be configured to be encrypted, prompted or hashed.  There should be processes in place to promptly detect and disable dormant accounts.