SingHealth Pte Ltd
Issued by Personal Data Protection Commission (PDPC) on 2019-01-15
What happened
Singapore's PDPC fined SingHealth, the country's largest public healthcare group, S$250,000 for failing to make reasonable security arrangements to protect the personal data of 1.5 million patients. In June-July 2018, attackers exploited vulnerabilities in SingHealth's IT systems to exfiltrate patient records including names, NRIC numbers, addresses, dates of birth, and the outpatient medication records of 160,000 patients — including Singapore's Prime Minister Lee Hsien Loong, who was specifically targeted. The PDPC found that SingHealth failed to adopt adequate security measures, including insufficient network segmentation, failure to patch known vulnerabilities, and inadequate monitoring of database access. The breach was the largest in Singapore's history.
Articles violated
Lessons learned
Healthcare organizations managing millions of patient records must implement robust network segmentation, timely patching, and real-time database access monitoring. Nation-state level threats target healthcare data, especially of high-profile individuals. Organizations should assume that sophisticated threat actors will attempt to breach their systems and design defenses accordingly. The PDPC applies maximum penalties for healthcare data breaches given the extreme sensitivity of medical records. Regular penetration testing and incident response drills are essential for healthcare providers.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Healthcare
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.