SINGAPORE: A data breach in 2020 from a Singapore-based healthcare service provider resulted in patients’ information getting put up for sale the following year in a forum on the dark web.
The company, Fullerton Health Group, and its vendor have been fined $68,000 due to a leak that potentially affected around 150,000 Fullerton Health patients along with its corporate clients’ employees.
Not only was health information compromised, but also identity numbers, telephone numbers, and financial details, including bank account numbers and codes.
The healthcare provider was given a $58,000 fine, and Agape Connecting People Holdings, the social enterprise that aided in making appointments for Fullerton Health’s patients, was fined another $10,000.
Fullerton Health became aware on Oct 15, 2021, that its clients’ data was offered for sale on a forum on the dark web, online spaces that can only be accessed through special software which allows users and operators to be anonymous or untraceable.
The company then engaged the services of cybersecurity consultants, who contacted the alleged data vendor, who said that he took the data from the internet-facing file server of Agape.
According to the Personal Data Protection Commission (PDPC), Fullerton Health worsened the situation by inadvertently disclosing unnecessary sensitive personal data only meant for employees’ internal use on the online drive it shared with Agape, which included codes for surgical procedures carried out in hospitals.
Agape does not need these codes or other shared data.
“These datasets were not required by Agape for the performance of the services, and this inadvertent disclosure ultimately led to a greater loss of personal data during the incident,” said the PDPC.
The PDPC held Fullerton Health responsible for exercising due diligence and reasonable supervision over Agape.
Shortly after Fullerton Health became aware of the breach, the post on the dark web forum was taken down. In the interim, Fullerton Health and Agape informed the PDPC about the data breach. /TISG
2,400 MINDEF, SAF personnel possible data breach victims due to malware incidents