Committee of Inquiry to be convened after cyber-attackers targeted PM Lee and stole 1.5 million SingHealth patients’ records

1507

The Ministry of Communications and Information (MCI) and the Ministry of Health (MOH) said in a press release today that it will convene a Committee of Inquiry (COI) to investigate the cyber-attack on SingHealth’s database. Mr Richard Magnus, a member of the Public Service Commission, will chair the COI.

The Government’s statement said that the attackers “specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines”. It added that the hackers illegally accessed and copied the data of “1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018”.

“I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed,” said PM Lee Hsien Loong on SingHealth cyberattack.

The MCI said on Friday that a scan of all government systems “found no evidence of compromise”.

“The Smart National and Digital Government Group will pause the introduction of new information and communications technology systems while it reviews the cybersecurity measures of government systems,” MCI added.

The following is the joint-statement by MOH and MCI in full:

SINGHEALTH’S IT SYSTEM TARGET OF CYBERATTACK

Safeguard Measures Taken, No Further Exfiltration Detected

SingHealth’s database containing patient personal particulars and outpatient dispensed medicines has been the target of a major cyberattack.

About 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race and date of birth. Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated. The records were not tampered with, i.e. no records were amended or deleted. No other patient records, such as diagnosis, test results or doctors’ notes, were breached. We have not found evidence of a similar breach in the other public healthcare IT systems.

Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS)[1] confirmed that this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs.

The attackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s personal particulars and information on his outpatient dispensed medicines.

Background

On 4 July 2018, IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity. IHiS investigated the incident to ascertain the nature of the activity, while putting in place additional cybersecurity precautions. On 10 July 2018, investigations confirmed that it was a cyberattack, and the Ministry of Health (MOH), SingHealth and CSA were informed. It was established that data was exfiltrated from 27 June 2018 to 4 July 2018. SingHealth lodged a police report on 12 Jul 2018. Police investigation is ongoing.

With heightened monitoring, further malicious activities were observed. However, no further illegal exfiltration has been detected since 4 July 2018. All patient records in SingHealth’s IT system remain intact. There has been no disruption of healthcare services during the period of the cyberattack, and patient care has not been compromised.

IHiS, with CSA’s support, has implemented further measures to tighten the security of SingHealth’s IT systems. These include temporarily imposing internet surfing separation. We have also placed additional controls on workstations and servers, reset user and systems accounts, and installed additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector against this threat.

Investigations by CSA

CSA has ascertained that the cyber attackers accessed the SingHealth IT system through an initial breach on a particular front-end workstation. They subsequently managed to obtain privileged account credentials to gain privileged access to the database. Upon discovery, the breach was immediately contained, preventing further illegal exfiltration.

Patient Engagement

From today, SingHealth will be progressively contacting all patients who visited its specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018, to notify them if their data had been illegally exfiltrated. All the patients, whether or not their data were compromised, will receive an SMS notification over the next five days. Patients can also access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.

Further Actions

MOH has directed IHiS to conduct a thorough review of our public healthcare system, with support from third-party experts, to improve cyber threat prevention, detection and response. Areas of review will include cybersecurity policies, threat management processes, IT system controls and organisational and staff capabilities. Advisories have been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken.

The Government takes a serious view of any cyberattack, illegal access of data or action that compromises the confidentiality of data in Singapore. The Minister-in-Charge of Cyber Security will establish a Committee of Inquiry to conduct an independent external review of this incident.