National Healthcare Group fined SG$6k for exposing personal data

The National Healthcare Group (NHG) has been fined SG$6,000 for exposing the personal information of 129 general practitioners (GPs). A list containing information of partner doctors of the medical group as well as five members of public which were generated when they submitted feedback on the website was found online for public disclosure.

NHG was notified of the incident on 7 February 2018, and took the website offline and fixed the cause of the incident. The personal information comprised full names, NRIC numbers, photographs, mobile numbers, mailing address, email address,  and clinic addresses.

NHG first engaged a website developer on 17 March 2015 to develop its website, but the relevant web configuration file was not examined before the website went “live” in December 2015. Around June or July 2016, a vendor was engaged to conduct a penetration test of the website, which found that the unrestricted access to the list through the internet was vulnerable. According to a filing by the Personal Data Protection Commission (PDPC), NHG also requested Google to remove cached copies of the list indexed from 9 to 13 February 2018.

To prevent a recurrence of a similar incident, NHG carried out additional checks at front-end publishing site, as well as ensuring penetration tests are performed prior to websites going “live”.

Meanwhile in May 2019, the Singapore Red Cross (SRC) was hacked, compromising personal data of 4,297 interested donors. SRC said that its web developer detected authorised access to the part of its website supporting the recruitment of blood donors. However, its other databases and the Health Sciences Authority’s systems were also unaffected by the incident.

This came shortly after the data leak of over 800,000 blood donors in Singapore in January 2019 due to mishandling of data by a vendor of the Health Sciences Authority. There has been a rise of healthcare data breaches in Singapore of late. Confidential information of over 14,000 HIV patients was also recently leaked online by an “unauthorised person”, said Ministry of Health then. The perpetrator was later found to be Mikhy K Farrera Brochez, the partner of the ministry’s National Public Health Unit former head. In 2018, the government saw the major cyberattack in July that infiltrated over 1.5 million patient personal particulars and outpatient dispensed medicines in the SingHealth database.

Read more:
Singapore most vulnerable to malicious URL cybersecurity attacks in SEA
PM Lee convenes data security committee in lieu of recent breaches
Government to review data management after more security breaches found
Recommendations on cybersecurity wanted from public following SingHealth breach