Singapore has suffered the most serious attack in the nation-state's history, impacting 1.5 million patients to SingHealth’s specialist outpatient clinics between 1 May 2015 and 4 July 2018.
The level of sophistication needed for such an attack narrows the possibilities of who was responsible, with the most likely scenario a state actor, with only a few countries housing the capabilities to carry out such an attack.
When pressed who the authorities believe was responsible, David Koh, CEO of cyber security agency of Singapore, apologised for not being able to disclose more, citing operational security reasons.
What data was stolen? At this stage, what Channel Asia understands so far is that the personal information of 1.5 million patients were stolen, including name, NRIC number, address, gender, race and date of birth.
Furthermore, 160,000 patients had details related to outpatient dispensed medicines stolen, however, no records were tampered with, from what Channel Asia understands currently.
No evidence of other breaches was found, including patient records, such as diagnosis, test results or doctors’ notes, etc.
In addition, it has also been disclosed that Lee Hsien Loong - Singapore Prime Minister - had his personal particulars stolen as well as his outpatient dispensed medicines record, in what was described as “specific and repeated” targetted attacks.
Investigations are ongoing in a joint effort by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information Systems (IHiS) with more information expected within the coming days and weeks.
“This was a deliberate, targeted and well-planned cyber attack,” said the CSA and IHiS in a joint statement. “It was not the work of casual hackers or criminal gangs.”
All patients, whether or not they were affected will receive an SMS notification over the next five days SingHealth has revealed, with patients also able to access the Health Buddy mobile app or SingHealth website to check if they are affected by this incident.
While Singapore’s Health Minister, Gan Kim Yong, apologised for the breach and to affected patients, Communications and Information Minister S Iswaran vowed to get to the bottom of the incident.
A committee of inquiry is expected to be set up to conduct an independent external review of this incident it was revealed.
Behind the breach
Channel Asia understands so far that the SingHealth IT system was compromised through an initial breach on a particular front-end workstation, gaining privileged account credentials to gain access to the database.
The breach was immediately contained, preventing further exfiltration, CSA disclosed in a statement.
When did the attack occur? From what Channel Asia understands, the discovery of the attack occurred on 4 July when IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases; immediately halting the activity upon discovery.
On 10 July, investigations confirmed that it was a cyber attack, and the Ministry of Health (MOH), SingHealth and CSA were informed.
Meanwhile on 12 July 2018, a police report was made, with investigations ongoing.
Channel Asia understands that the attack began 27 June and ended 4 July once IHiS’ database administrators detected the attack and put a stop to it.
“No further illegal exfiltration has been detected since 4 July 2018,” declared a joint statement, “all patient records in SingHealth’s IT system remain intact.”
In a combined effort, IHiS with the support of CSA, implemented further measures to tighten the security of SingHealth’s IT systems, including temporarily imposing internet surfing separation.
Furthermore, additional controls on workstations and servers, reset user and systems accounts and installed additional system monitoring controls, were also enacted.
“Similar measures are being put in place for IT systems across the public healthcare sector against this threat,” it was disclosed.