Home News Featured News FULL STATEMENT: Singhealth and IHiS fined $250,000 and $750,000 respectively over massive...

FULL STATEMENT: Singhealth and IHiS fined $250,000 and $750,000 respectively over massive data breach

Author

Date

Category

- Advertisement -

The Personal Data Protection Commission (PDPC) has imposed financial penalties on Integrated Health Information Systems Pte Ltd (“IHiS”) and Singapore Health Services Pte Ltd (“SingHealth”) for breaching their data protection obligations under the Personal Data Protection Act (PDPA).

PDPC’s investigations into the data breach arising from a cyber attack on SingHealth’s patient database system, found that IHiS had failed to take adequate security measures to protect the personal data in its possession. PDPC has imposed a financial penalty of S$750,000 on IHiS.

A financial penalty of S$250,000 has also been imposed on SingHealth as the owner of the patient database system. PDPC found that the SingHealth personnel handling security incidents was unfamiliar with the incident response process, overly dependent on IHiS, and failed to understand and take further steps to understand the significance of the information provided by IHiS after it was surfaced.

Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers.

- Advertisement -

These financial penalties are the highest ever imposed by PDPC to-date. PDPC took into account the fact that the data breach was the largest breach that Singapore has ever experienced, as well as the sensitive and confidential nature of the patients’ data.

In addition, the penalties took into account the fact that IHiS and SingHealth were cooperative throughout the investigations and took immediate remedial actions. PDPC also recognised that both organisations were victims of a skilled and sophisticated threat actor bearing the characteristics of an Advanced Persistent Threat group, using numerous advanced, customised and stealthy tools and carrying out its attack over a period of more than 10 months.

The statement above is a press release from the Personal Data Protection Commission. The PDPC administers the Personal Data Protection Act 2012 (PDPA) in Singapore, which aims to safeguard individuals’ personal data against misuse and promote proper management of personal data in organisations.

Send in your scoop to news@theindependent.sg 

- Advertisement -

NAC: Stop quarrelling with The Substation and help Chiya Amos

The late DPM, Foreign and Culture Minister S Rajaratnamonce observed that many Singaporeans knew the exact price of almost everything but could not always appreciate the real value of certain things. I might add until it’s too late. Is this trait...

Pining for pizza? These pizzerias will surely satisfy your cravings

Singapore — With all the interesting food choices out there, pizza remains a fan favourite, perfect for pleasing palates of all ages. But where to go for your pizza fix? Tired of nondescript, fast food-style pizza? It is a universal truth...

Ong Ye Kung: Train fares so far are not enough to cover operating costs

Singapore – While the government will continue to subsidise rail and bus operations, the bill to taxpayers "cannot keep ballooning," said Transport Minister Ong Ye Kung, noting fares also need to be adjusted. Speaking in Parliament during his ministry's Committee of Supply...

Send in your scoop to news@theindependent.sg 

Theindependent