You know this is serious shit when the evening news dedicated a good 10 minutes discussing the entire incident and all the local news headlines engaging in scaremongering and with a strange fixation on the fact that PM Lee Hsien Loong being one of the 1.5 million compromised records.
This could potentially open up the very real risk of identity theft for all these patients, who visited SingHealth’s specialist outpatient clinics and polyclinics between 1 May 2015 to 4 July 2018, whose records were compromised. We are talking about your full names, NRIC numbers, home addresses, gender, race, and DOB.
SingHealth has very kindly set up a page to check if you are indeed one of the lucky ones.
Investigations are ongoing but they have revealed that the theft occured between 27 June 2018 and 4 July 2018. One of the SingHealth front-end workstation was infected with malware through which the hackers gained access to the database.
Very reminiscent of the Equifax data breach which came to light in the USA last year. Aside from the oh-so-touching apologies from Health Minister Gan Kim Yong, I wonder if the details of the investigation will be revealed to the public as a port-mortem for the public?
Also, Mr David Koh, chief exeuctive of the Cyber Security Agency of Singapore must repeatedly highlight that “this was a deliberate, targeted and well-planned cyber attack” and most certainly “not the work of casual hackers or criminal gangs”.
FAQs as provided by SingHealth:
How could this have happened?
Forensic investigations have confirmed that this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs. We have lodged a police report on the incident and the matter is currently under investigation. We apologise for the anxiety caused. Please rest assured that additional cybersecurity measures have been implemented to safeguard patients’ data.
Were my electronic medical records accessed or compromised? Will my medical care be affected?
All records in SingHealth’s IT system remain intact - there were no modifications or deletions to patient records. Your medical care will not be affected and there is no disruption to our services.
Who can I contact if I have other questions/concerns?
We would be happy to address your concerns, please contact us at firstname.lastname@example.org
Addendum: I tried to login on my mother’s behalf to check if her data was compromised and while the intention to force a password change every 2 years is fine (I won’t say wonderful but it does has its pros/cons) but I am slightly confused on the password being already expired 2 years in the future.
20 July 2018