Published on Friday, 20 July 2018 17:30
UPDATED 23 July 2018
SingHealth’s database containing patient personal particulars and outpatient dispensed medicines has been the target of a major cyberattack. About 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race and date of birth. The records were not tampered with, i.e. no records were amended or deleted.
The Integrated Health Information System (IHiS), which is the technology agency for the public healthcare sector and runs the public healthcare institutions’ IT systems, has implemented further measures to tighten the security of SingHealth’s IT systems. They have placed additional controls on workstations and servers, reset user and system accounts, and installed additional system monitoring controls. Similar measures are being put in place for IT systems across the public healthcare sector against this threat.
SingHealth will be progressively contacting all patients who visited its specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018, to notify them if their data had been illegally exfiltrated.
Recommendations and Advice for Members of the Public
There has been no evidence of fraud or misuse tied to the incident. However, as a precautionary measure, members of the public are encouraged to adopt the following measures:
Look out for fake SingHealth SMS. Verify the Caller ID. The notification message should be sent by SingHealth. You may choose to go directly to the official website by typing https://datacheck.singhealth.com.sg into the address bar of your browser.
Do not use your Personally Identifiable Information such as NRIC or Date of Birth in your password. This is an unsafe practice. Change to a strong password to protect your online credentials. You may refer to our website on Gosafeonline for tips on how to create a strong password. You may also consider to change your user ID (where possible) or security questions if they were based on your personal data.
Enable Two-Factor Authentication (2FA). Users of e-government and banking transactions are encouraged to activate your 2FA, if you have not done so, as an added layer of protection.
Be Wary of Scams. Take extra precautions against phone or online scams. Do not share your pin, login password, one-time pin or payment details. Government agencies will not ask for your payment details, and SingPass or CorpPass login credentials (including one-time pin) over email, SMS or phone.
Check for fraudulent transactions. Check and review your credit card and other transaction history regularly. Contact your bank or the relevant authorities immediately if you suspect fraudulent activities.
Cyberattacks will continue to persist. Members of the public are advised to exercise caution and adopt good cyber hygiene practices to protect their personal data.
For more tips on practising good cyber hygiene, visit our Gosafeonline's Cyber Tips 4 You
. You may also refer to MoneySENSE for useful tips on internet banking security and understanding 2FA.