FULL STATEMENT: Singhealth and IHiS fined $250,000 and $750,000 respectively over massive data breach

The Personal Data Protection Commission (PDPC) has imposed financial penalties on Integrated Health Information Systems Pte Ltd (“IHiS”) and Singapore Health Services Pte Ltd (“SingHealth”) for breaching their data protection obligations under the Personal Data Protection Act (PDPA).

PDPC’s investigations into the data breach arising from a cyber attack on SingHealth’s patient database system, found that IHiS had failed to take adequate security measures to protect the personal data in its possession. PDPC has imposed a financial penalty of S$750,000 on IHiS.

A financial penalty of S$250,000 has also been imposed on SingHealth as the owner of the patient database system. PDPC found that the SingHealth personnel handling security incidents was unfamiliar with the incident response process, overly dependent on IHiS, and failed to understand and take further steps to understand the significance of the information provided by IHiS after it was surfaced.

Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers.

These financial penalties are the highest ever imposed by PDPC to-date. PDPC took into account the fact that the data breach was the largest breach that Singapore has ever experienced, as well as the sensitive and confidential nature of the patients’ data.

In addition, the penalties took into account the fact that IHiS and SingHealth were cooperative throughout the investigations and took immediate remedial actions. PDPC also recognised that both organisations were victims of a skilled and sophisticated threat actor bearing the characteristics of an Advanced Persistent Threat group, using numerous advanced, customised and stealthy tools and carrying out its attack over a period of more than 10 months.

—

The statement above is a press release from the Personal Data Protection Commission. The PDPC administers the Personal Data Protection Act 2012 (PDPA) in Singapore, which aims to safeguard individuals’ personal data against misuse and promote proper management of personal data in organisations.