Unauthorised access to 72 HealthHub accounts prompts shutdown of e-service for six days

SINGAPORE — Seventy-two accounts on the Health Promotion Board’s (HPB) HealthHub portal were recently accessed without authorisation, prompting authorities here to shut down access to the electronic service for six days early this month.

The HPB and Integrated Health Information Systems (IHiS) said on Thursday (Oct 18) that they discovered the unauthorised log-ins during investigations into unusual activities on HealthHub, a one-stop portal and mobile application for Singaporeans to access their public health records and a range of e-services such as making medical appointments.

The agencies had found “higher than usual attempted log-ins” to the portal on four days – Sept 28, Oct 3, Oct 8 and Oct 9 – using more than 27,000 unique IDs or email addresses.

Although 98 per cent of the email addresses used were not related to HealthHub account IDs – and these attempts were unsuccessful – 72 accounts were successfully logged into.

The affected accounts were then locked, and the users were contacted to inform them that their accounts may have been accessed without authorisation, the HPB and IHiS said in a joint statement.

The suspected hacking attempt came on the heels of a cyber attack on SingHealth in June. 

While HealthHub accounts allow users to access their family’s medical records, the agencies noted that the unauthorised log-ins were limited to the basic tier of HealthHub, which contains the user’s self-populated profile and any Healthpoints accumulated through participation in HPB programmes. No personal health records were accessed.

Access to other e-services were not affected, as they require a SingPass password and two-factor authentication, the statement added.

The HPB and IHiS said that no evidence of a breach in the HealthHub system has been found.

The agencies added: “Based on the suspicious volume of email addresses not related to HealthHub account IDs and the repeated attempts, it is likely that the volume of email addresses used had been obtained from external sources.”

The HPB was first alerted when a user suspected her email account had been used without her permission to log in to the portal, and informed HPB.

Access to the mobile app and website e-services of HealthHub were suspended from Oct 9 to Oct 14 as a precaution while the unusual log-in attempts were investigated. Access has since been restored.

The HPB and IHiS “will continue to strengthen system surveillance” to ensure security of the HealthHub portal, the statement said, and reminded users to use strong passwords for their accounts.

The HealthHub portal is owned by the HPB and operated by IHiS – the Ministry of Health’s IT arm – which also manages SingHealth’s IT systems.

Between June 27 and July 4 this year, sophisticated hackers stole the personal data of 1.5 million SingHealth patients, including their national identity card numbers, addresses, names and dates of birth. 160,000 of the affected patients, including Prime Minister Lee Hsien Loong, also had information on their outpatient medication stolen.

An ongoing committee of inquiry (COI) for the SingHealth cyber attack, first convened on July 24 and led by retired senior judge Richard Magnus, began public hearings last month.

The COI is expected to submit a report of its findings by the end of the year.

HealthHub users who wish to enquire about their accounts can contact HPB at 1800 225 4482 or email HPB_HealthHub [at] hpb.gov.sg.