PDPC slams SingHealth for being ‘overly dependent’ on IHiS, metes out S$1 million in fines for data breach

SINGAPORE — The Integrated Health Information Systems (IHiS) and SingHealth have been fined a total of S$1 million by the Personal Data Protection Commission (PDPC) — the stiffest fine imposed by the commission to-date — in the wake of Singapore's largest data breach.

Announcing the grounds of its decision on Tuesday (Jan 15), PDPC said that IHiS — the Health Ministry’s IT arm — was fined S$750,000 for failing to take "adequate security measures" to protect data from the SingHealth’s patient database system in its possession.

The commission also imposed a S$250,000 financial penalty on SingHealth as the owner of the patient database system.

Between June 27 and July 4 last year, sophisticated hackers stole the personal data of 1.5 million patients with the public healthcare group, as well as the outpatient medication data of 160,000 of these patients, among them Prime Minister Lee Hsien Loong.

In a statement on Tuesday, PDPC slammed SingHealth for being "overly dependent on IHiS", and said the SingHealth personnel handling security incidents were unfamiliar with the incident response process.

PDPC added that the SingHealth personnel did not understand or try to understand "the significance of the information provided by IHiS after it was surfaced".

"Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers," PDPC added.

In a report outlining the grounds of its decision, dated Monday, PDPC said the stiff financial penalties were due to the seriousness of the data breach.

Besides it being the largest data breach in Singapore, the database attacked contained the data of over five million patients, which increased the “seriousness of IHiS’ and SingHealth’s data security inadequacies”.

The database contained highly sensitive and confidential personal information, including records of patients’ health issues, diagnoses and dispensed medication, the report added.

However, the report also stated that PDPC took into account several mitigating factors such as SingHealth’s and IHiS’ co-operation during investigations, and that they were victims of the “malicious actions of a skilled and sophisticated threat actor”.

Shortly after PDPC announced the financial penalties, SingHealth issued a statement accepting responsibility, and apologised to its patients.

SingHealth Chairman Peter Seah added that its senior leadership, including its Group CEO, has voluntarily accepted a financial penalty which is separate from the fine imposed by PDPC.

The healthcare group did not disclose any details regarding this separate fine.

SingHealth’s Group CEO Ivy Ng said in the same statement that it is making changes to improve its cybersecurity governance structures and oversight of its critical systems.

"We are also working with IHiS to comprehensively upgrade our cyber defence systems and processes to more effectively guard against cybersecurity risks, as well as to respond in a timely and robust manner to any intrusion," Prof Ng added.

The fines by PDPC come a day after IHiS disciplined its staff involved in the cybersecurity breach.

On Monday, two IHiS employees were sacked, while seven other staff members, including chief executive officer Bruce Liang, were fined.

A 10th employee, who misunderstood what constituted a security incident and failed to comply with IHiS’ incident reporting processes, will be demoted and redeployed, the organisation said.