Integrated Health Information Systems (IHiS)
Issued by Personal Data Protection Commission (PDPC) on 2019-01-15
What happened
The PDPC imposed its then-largest ever financial penalty of S$750,000 on IHiS, the technology agency responsible for managing the IT systems of Singapore's public healthcare sector, for its role in the SingHealth data breach. As the IT vendor and data intermediary responsible for maintaining SingHealth's database systems, IHiS was found to have failed in several critical security areas: staff did not respond adequately to the initial signs of the cyber attack, vulnerabilities in the network were not remediated in a timely manner despite being known, and the organization lacked a proper incident response framework. The PDPC determined that IHiS bore a greater degree of responsibility than SingHealth as it was directly responsible for the IT systems that were compromised.
Articles violated
Lessons learned
IT service providers and data intermediaries face higher penalties than their clients when security failures are within their direct control. Incident response teams must be empowered to act decisively when signs of intrusion are detected — delays in escalation directly contribute to the severity of breaches. Known vulnerabilities must be patched promptly, especially in systems containing sensitive healthcare data. This case established that the PDPC will hold service providers to a higher standard than end-user organizations when it comes to technical security measures.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Technology
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.