Singapore Government Catches the Data Loss Flu

by: The Knowledge Group

July 24, 2018


When it comes to data security breaches, people have become a bit numb to hearing about the latest company to lose customer data. However, when it’s an entire government that loses 1.5 million citizens’ data, suddenly everybody’s attention is wide awake again. That was the case recently with Singapore realizing that a 1.5 million people’s healthcare data has been exposed.

SingHealth maintains combined data collection of patient information from almost 60 different health organizations in the country, ranging from hospitals to specialty centers to focused clinics. The catalyst for the breach was innocent enough; the government wanted to realize a greater flow of information among authorized medical users. However, Singapore has now become the latest in how the rush to Internet-based data flow comes with expensive costs when handled properly.

The actual data affected was non-medical in nature, but it included the personal information of patients covering a period of about three years’ time (mid-2015 to mid-2018). That data included the key valuable elements of a person’s online identity: their name, date of birth, gender, race, and contact address.

The first signs of the breach were noticed at the beginning of July 2018, triggering an immediate reaction and system cutoffs. Yet the critical notice to the various government agencies did not occur for another six days. By then, the Singapore Health Ministry and Cybersecurity Agency had to confirm the breach had occurred from an intentional cyberattack. Based on the investigation, the attackers had access to the database as early as June 27 and were able to access the data for at least 7 days prior to system cutoff.

The type of data and patients with the greatest activity was apparent as well. For example, Singapore’s prime minister was one of the victims, with repeat accesses and trafficking of his information, medical services, prescriptions and personal details being gone through by the hackers.

Experts assume the end result of the breach was to secure large amounts of personal data for sale on the dark web to other criminal parties for future usage, most likely identity theft and credit fraud being the most common purposes. And yet again, the Singapore breach is a painful lesson in security circles: outside parties are constantly looking for weaknesses, and human users remain the weakest link.

We are discussing data breach class action suits and the latest updates and their precedent on the legal landscape.  You can find all of the information for the August 8th event by clicking here.  This event will also be recorded for on-demand listening as well as being eligible for Continuing Legal Education (CLE) credit.