- SingHealth and IHIS were fined with a total of $1 million, for negligence and weak response.
- This is the largest ever fine imposed by Singapore’s data protection agency, following the record-breaking data breach in 2018.
- IHIS sacked personnel and fined executives, while a new response plan and database securing system has been established.
In July 2018, Singapore experienced their worst cyber-attack ever, with more than 1.5 million citizens having their personal patient profiles and prescriptions leaked after an attack by a group of hackers. With the investigations on the incident and the agencies response having been concluded now, the Singapore’s Personal Data Protection Commission (PDPC) has announced the fines of $250k to SingHealth, and $750k to Integrated Health Information Systems (IHIS).
The first agency was the owner of the patient database that was infiltrated by the threat actors, accused of being unfamiliar with the incident response process and relying solely on IHIS to do something about it. PDPC states that although SingHealth delegated most of the work to IHIS, they should retain the majority of the responsibility for maintaining and securing their own database. IHIS received a heftier fine since they were the IT agency responsible for the infrastructure of the country’s public healthcare sector, and thus, they are accused of negligence.
The PDPC report states that the initial compromise occurred on a dormant administrator account that had the password: “P@ssw0rd”. Through this account, the attacker accessed SGH Citrix servers that should have been decommissioned. The SCM database was still inaccessible by the attacker due to insufficient privileges, and the database administrator even noticed that someone had conducted multiple failed login attempts. In the following days, the attackers finally got hold on valid credentials through the H-Cloud Citrix server and then logged in to the SCM database. In the period that followed, the employees and senior management demonstrated a characteristic delay and inadequacy to respond to the threat that was repeatedly reported by various officers, and so the data was exfiltrated. PDPC says the attackers gained access to a database that contained information on 5 million citizens, but the attackers managed to dump about 1/5 of it.
In the aftermath of these facts, two staff members of IHIS were sacked, and five senior management executives were fined. One of the executives is IHIS’s CEO, Bruce Liang, included in the ‘collective leadership responsibility’ justification context. IHIS has also implemented more stringent measures since last November, in an effort to prevent similar cyber-attacks in the future, as well as respond better to database breaching incidents.
Do you believe that healthcare databases are safe from hackers? Let us know in the comments below, and also hop to our socials to join the discussions of our online communities on Facebook and Twitter.