As penalties for lapses that led to the most severe data breach in Singapore’s history, the Personal Data Protection Commission (PDPC) has imposed high fines on SingHealth and the Integrated Health Information Systems (IHiS). The data breach occurred between June and July 2018, with even the personal data of Singapore’s Prime Minister Lee Hsien Loong compromised.
IHiS is the technology vendor for Singapore’s healthcare sector. The PDPC felt that while the majority of the fault lay with IHiS, SingHealth still needed to take some responsibility for the data breach, in part because of the following reasons.
The staff of SingHealth did not know what to do in responding to the breach. They were also too dependent on IHiS to handle all the security issues. Finally, they also did not grasp, nor did they make the effort to fully understand, the information concerning the breach that was given to them by the IHiS, after the breach had occurred.
The PDPC said in a statement on January 15, “Even if organizations delegate work to vendors, organizations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers.”
The security breach gave hackers access to the personal information of 1,500,000 patients in all. Information concerning the medicine prescribed to 160,000 outpatients was also accessed. Much of this information was stolen and copied.
The IHis received a $750,000 fine, due to a report that was published last week, saying that sufficient security measures had not been installed to protect the data from SingHealth under its purview.
SingHealth itself, as the owner of the database system, was given a $250,000 fine.
The PDPC took SingHealth and IHiS’s full cooperation with the investigation into consideration, plus the fact that immediate actions were taken once the extent of the breach was determined.
On July 4, 2018, when the breach was found out, the Integrated Health Information Systems worked with the Cyber Security Agency of Singapore to stop any further hacking of patient information.
On Monday, January 14, IHiS announced the demotion of one employee as well as the firing of two others, in the wake of the report from the Committee of Inquiry, wherein middle-management lapses were detailed.
Other employees were also given financial penalties by the company, the most prominent being Bruce Liang, IHiS’ CEO, due to command responsibility.
Questions concerning the SingHealth data breach have been brought up by Members of Parliament, and these are expected to be discussed in the House on January 15.
SingHealth group CEO Professor Ivy Ng accepted a fine and issued an apology to the patients whose data had been stolen.
“We are making changes to enhance our cyber-security governance structures and improve management oversight of our critical systems.
We are also working with IHiS to comprehensively upgrade our cyber defense systems and processes to more effectively guard against cybersecurity risks, as well as to respond in a timely and robust manner to any intrusion.
We are fully committed to learning and improving from this incident. We will embed cybersecurity consciousness into our daily operations and ensure that stringent measures are in place to safeguard our patients’ data.”
The chairman of SingHealth, Peter Seah, said that the senior leadership team, including the CEO, has also volunteered to accept a financial penalty.