Hackers steal health data of 1.5m Singaporeans including PM

Health records of some 1.5 million Singaporeans including Prime Minister Lee Hsien Loong have been stolen in the worst cyber-attack in the city-state, authorities said on Friday.

Health Minister Gan Kim Yong and Minister for Communications and Information S. Iswaran described the leak as the most serious breach of personal data in Singapore.

Gan apologised to the patients affected by the data theft. Iswaran, who is also in charge of cyber security, said an inquiry panel will be set up to investigate the incident.

The Cyber Security Agency of Singapore described it as a deliberate, targeted and well-planned cyber-attack and not the work of casual hackers or criminal gangs.

According to the agency, the hackers infiltrated the computers of SingHealth, Singapore’s largest group of healthcare institutions with four hospitals, five national speciality centres and eight polyclinics.

Data on Lee, a two-time cancer survivor, was specifically and repeatedly targeted. Lee said in a Facebook post he was not sure what the attackers were hoping to find.

Unusual activity was first detected on July 4 on one of SingHealth’s IT databases. Security steps were taken to thwart any hacking attempts.

Initial investigations showed that one SingHealth front-end workstation was infected with malware through which the hackers gained access to the data base. The data theft happened between June 27 and July 4 this year, reports said.

The hackers accessed and copied non-medical personal data of 1.5 million patients who had visited SingHealth’s specialist outpatient clinics or polyclinics between May 1, 2015 and July 4 this year. The details stolen included their name address, gender, race and date of birth. SingHealth will be contacting all of them.

It is said the hackers spared the patients’ data related to diagnosis, test results and doctors’ notes.

On July 10, the Health Ministry, SingHealth and the Cyber Security Agency of Singapore were alerted of the cyber-attack.

The previous cyber-attack took place in 2017 when a breach at the defence ministry resulted in the theft of personal data of 850 national servicemen and employees.