SingHealth’s database containing patient personal particulars and outpatient dispensed medicines has been the target of a major cyberattack. About 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race and date of birth. The records were not tampered with, i.e. no records were amended or deleted.
The Integrated Health Information System (IHiS), which is the technology agency for the public healthcare sector and runs the public healthcare institutions’ IT systems, has implemented further measures to tighten the security of SingHealth’s IT systems. These include temporarily imposing internet surfing separation. They have also placed additional controls on workstations and servers, reset user and system accounts, and installed additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector against this threat.
SingHealth will be progressively contacting all patients who visited its specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018, to notify them if their data had been illegally exfiltrated.
Recommendations and advice for members of the public
There has been no evidence of fraud or misuse tied to the incident. However, as a precautionary measure, members of the public are encouraged to adopt the following measures:
- Be vigilant for unusual requests for details of personal information, and verify with the relevant authority that the request is legitimate.
- Consider to change your passwords for account logins especially if the password is derived from your personal information, as this is an insecure practice. You may refer to our website on GoSafeOnline for tips on how to create a strong password to secure your inline credentials. Users of key government e-transactions and banking transactions are encouraged to activate their 2-Factor Authentication (2FA), if they have not done so, as an added layer of protection.
- Check and review your financial and other statements regularly. Contact your card issuer or relevant agency immediately if you suspect fraudulent activities.
Cyberattacks will continue to be a prevalent threat. Members of the public are advised to heighten their online vigilance to the evolving cyber threat and adopt precautionary measures to safeguard your online presence.
For more tips on improving online cyber hygiene, visit our GoSafeOnline's Cyber Tips 4 You