IHiS and SingHealth fined S$1 million in total by PDPC for data breach arising from cyberattack

By Dean Koh
02:10 AM
Share
The financial penalties on the two organisations involved are the highest ever imposed by PDPC to-date.

Following the release of the public report by the Committee of Inquiry (COI) for the SingHealth cyberattack which occurred in July 2018 and Integrated Health Information Systems (IHiS) taking disciplinary action on staff members involved in the incident and senior management team staff, the Personal Data Protection Commission (PDPC) has imposed financial penalties on both IHiS and SingHealth, according to an official statement.

The PDPC administers the Personal Data Protection Act 2012 (PDPA) in Singapore, which aims to safeguard individuals’ personal data against misuse and promote proper management of personal data in organisations. PDPC’s investigations into the data breach arising from a cyberattack on SingHealth’s patient database system, found that IHiS had failed to take adequate security measures to protect the personal data in its possession. PDPC has imposed a financial penalty of S$750,000 on IHiS.

A financial penalty of S$250,000 has also been imposed on SingHealth as the owner of the patient database system. PDPC found that the SingHealth personnel handling security incidents was unfamiliar with the incident response process, overly dependent on IHiS, and failed to understand and take further steps to understand the significance of the information provided by IHiS after it was surfaced.

These financial penalties (a total of S$1 million) are the highest ever imposed by PDPC to-date. PDPC took into account the fact that the data breach was the largest breach that Singapore has ever experienced, as well as the sensitive and confidential nature of the patients’ data.

In addition, the penalties took into account the fact that IHiS and SingHealth were cooperative throughout the investigations and took immediate remedial actions. PDPC also recognised that both organisations were victims of a skilled and sophisticated threat actor bearing the characteristics of an Advanced Persistent Threat group, using numerous advanced, customised and stealthy tools and carrying out its attack over a period of more than 10 months.