Personal data stored on the SingHealth database was stolen following a "deliberate, targeted and well-planned cyber attack", according to a statement issued by The Ministry of Communications and Information and Ministry of Health. Data concerning about 1.5 million people who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 was "illegally accessed and copied" in the attack, the departments said.
They said: "The data taken include name, NRIC number, address, gender, race and date of birth. Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated. The records were not tampered with, i.e. no records were amended or deleted. No other patient records, such as diagnosis, test results or doctors’ notes, were breached. We have not found evidence of a similar breach in the other public healthcare IT systems."
According to the statement, the attack was "not the work of casual hackers or criminal gangs" but instead was carried out by people who "specifically and repeatedly targeted" data belonging to Singapore prime minister Lee Hsien Loong, including "information on his outpatient dispensed medicines".
Technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture between MPillay and Pinsent Masons, the law firm behind Out-Law.com, said: "Singapore is amongst the most targeted countries for cyber attacks. It has, however, put in place measures including the 'air gap' for the civil service, general cybersecurity legislation and the creation of the Cybersecurity Agency, which led the investigations during this incident."
"As one would expect to see, the coordinating agency was involved from early on and affected parties are being notified of the breach, after containment and investigation measures have been taken," he said.
Hong Kong-based cybersecurity and data protection law expert Paul Haswell of Pinsent Masons said that, in contrast with Singapore, Hong Kong is "ill-prepared to deal with an attack of this nature".
Haswell said: "During the chief executive elections last year laptops containing the personal data of 3.7 million registered voters, including their names, ID card numbers, addresses and mobile phone numbers, were 'stolen' and never recovered. The investigation into this data loss resulted in no sanctions whatsoever, and it would appear data breaches in Hong Kong of this nature are common and go unreported. I expect similar attacks have taken place here with no investigation at all."
The Singapore government said that an "independent external review" will be set up to look into the SingHealth data breach.