On 14 January 2019, Singapore’s Personal Data Protection Commission issued its grounds of decision against Singapore Health Services Pte. Ltd. (SingHealth) and Integrated Health Information Systems Pte. Ltd. (IHiS) for what has been coined the “worst breach of personal data in Singapore’s history”.

The unprecedented cyber attack on SingHealth’s patient database system led to the exfiltration of 1.5 million patients’ personal data and nearly 160,000 patients’ outpatient prescription records.

The commission received several complaints from members of the public regarding this data breach and commenced its investigations thereafter.

The facts of this case were as follows:

  • SingHealth is one of three healthcare clusters in the Singapore public healthcare sector. IHiS is the central national information technology (IT) agency for the public healthcare sector in Singapore.
  • SingHealth uses Sunrise Clinical Manager system (SCM), an electronic medical record software solution managed by IHiS, which is actively used by SingHealth staff in patient care and management. The SCM contains the patient medical records of over five million unique individuals, including the following types of personal data:

(a) patient particulars (name, national registration identification card numbers, address, gender, race and date of birth);

(b) clinical episode information (e.g., accident and emergency, impatient and outpatient data);

(c) laboratory, radiology, cardiology, medication and nursing orders;

(d) results of diagnostic tests and orders;

(e) clinical documentation from doctors, nurses and/or rehabilitation;

(f) vital signs, e.g., blood pressure, pulse;

(g) medical alerts and allergies;

(h) diagnosis and health issues;

(i) vaccination details;

(j) discharge summaries;

(k) medical certificates; and

(l) outpatient medication dispensed (with associated patient demographics).

  • The cyber attacker gained initial access to the SCM network in August 2017 by infecting a user’s workstation, likely through an email phishing attack that led to malware and hacking tools being installed and executed on the workstation.
  • Through customized malware that infected and gained remote access to and control of other workstations between December 2017 and May 2018, the attacker gained access to a local administrator account and another service account. The attacker was then able to access and control the Citrix servers located at one of the public healthcare institutions. However, the attacker still did not have the credentials that would have enabled it to log in to the SCM database. As such, the attacker made multiple failed attempts to access it using invalid credentials. On 26 June 2018, the attacker managed to successfully obtain login credentials for the SCM database, which were then used to access the SCM database using one of the compromised Citrix servers.
  • The security incident response manager for IHiS was notified of the suspicious circumstances observed by IHiS staff. SingHealth’s chief information security officer was also apprised of the events but did not make further enquiries. Neither personnel escalated the matter. As such, IHiS senior management and SingHealth’s group chief information officer were only alerted to the attack on the evening of 9 July 2018.

The commission’s findings were as follows:

  • Based on several policy documents including its data protection policy, IHiS is a data intermediary for SingHealth and all other healthcare institutions in the three clusters. Pursuant to section 4(3) of the Personal Data Protection Act (PDPA), an organisation that engages a data intermediary to process personal data on its behalf and for its purposes has the same obligation in respect of such data as if it had processed the data itself. Hence, both SingHealth and IHiS have an obligation to make reasonable security arrangements to protect patients’ personal data in their possession or control, in accordance with section 24 of the PDPA.
  • The commission reiterated that although organisations may outsource work to vendors, the responsibility for complying with statutory obligations under the PDPA may not be delegated. In other words, SingHealth had “the primary role and responsibility of ensuring the overall protection of the personal data in its possession or under its control, even if it has engaged a data intermediary that has a duty to protect the personal data”.
  • The commission stressed the importance of having a contract that sets out the obligations and responsibilities of a data intermediary to protect the organisation’s personal data and the parties’ respective roles, obligations and responsibilities to protect the personal data. This need for a contract was also highlighted in other jurisdictions, namely, in an information leaflet on the outsourcing of processing of personal data to data processors published by Hong Kong’s privacy commission, as well as a guidance note on privacy and outsourcing for businesses by Canada’s privacy commission.
  • In assessing whether each of SingHealth and IHiS had complied with their obligations under section 24 of the PDPA by making reasonable security arrangements, the commission considered the following factors as set out in its advisory guidelines on key concepts in the PDPA (revised on 27 July 2017):

(a) the nature of the personal data;

(b) the form in which the personal data had been collected (physical or electronic); and

(c) the possible impact to the individuals concerned if an unauthorised person obtained, modified or disposed of the personal data.

  • The commission determined that the SCM database contains the full medical records of all SingHealth patients, which is “very sensitive personal information”. Citing its advisory guidelines for the healthcare sector (updated on 28 March 2017), the commission noted that the data is “regarded as more confidential” and “the adverse impact to individuals is significantly greater if such personal data were inadvertently accessed (e.g. relating to sensitive medical conditions)”, and hence “tighter security arrangements should be employed” and it was “critical to protect the security and confidentiality of such medical records”.
  • SingHealth’s chief information security officer had failed to comply with the various incident response policies and standard operating procedures of the organisation. More specifically, even though he was informed of suspicious activities showing multiple failed log in attempts of the SCM, he did not escalate these security events, and this “fell far short of what a reasonable person would expect from someone in his position”. The actions of SingHealth’s group chief information officer and chief information security officer, and in particular, the failure to comply with standard operating procedures, was emblematic of the inadequacy of SingHealth’s security arrangements and should be attributed to SingHealth itself.
  • In addition, although SingHealth had maintained oversight of IHiS’s IT operations and security for the SCM through oversight and auditing mechanisms, and board and management committees, it had not taken sufficient security measures to protect the personal data in the SCM database.
  • In respect of IHiS, by its own admission, there were a number of vulnerabilities and gaps in SingHealth’s network and in the IHiS systems and processes that were exploited by the attacker. In addition, the commission noted that IHiS regularly handles large volumes of sensitive personal data on behalf of public healthcare institutions in Singapore. Hence its policies and practices, and how they were implemented and enforced, were insufficient, particularly in the management of the Citrix servers.
  • Further, there were insufficient steps taken to ensure that technical measures to protect personal data were carried out as intended, and vulnerabilities that had been previously flagged to IHiS were either not remediated or not addressed in time.
  • The PDPA does not require organisations to provide an absolute guarantee for the protection of the personal data in its possession or under its control, but even so, IHiS was found not to have done what a reasonable person would consider appropriate to prevent the data breach in this case.
  • The commission found that both SingHealth and IHiS had breached section 24 of the PDPA and directed SingHealth to pay a financial penalty of S$250,000 and IHiS a financial penalty of S$750,000.

Reed Smith LLP is licensed to operate as a foreign law practice in Singapore under the name and style, Reed Smith Pte Ltd (hereafter collectively, “Reed Smith”). Where advice on Singapore law is required, we will refer the matter to and work with Reed Smith’s Formal Law Alliance partner in Singapore, Resource Law LLC, where necessary.