Integrated Health Information Systems (IHiS) and Singapore Health Services (SingHealth) have been fined for breaching their data protection obligations under the Personal Data Protection Act (PDPA).
The financial penalties were the highest imposed by the Personal Data Protection Commission (PDPC) to date.
In a press statement on Tuesday, January 15, PDPC said investigations into the data breach found that it was caused by a cyber attack on SingHealth’s patient database system. IHiS had failed to take adequate security measures to protect the personal data in its possession.
A financial penalty of SGD750,000 has been imposed on IHiS. PDPC also imposed a fine of SGD250,000 on SingHealth as the owner of the patient database system.
The SingHealth personnel handling security incidents were found to be unfamiliar with the incident response process. PDPC said in the statement that even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers.
The fine figures took into account that the data breach was the largest breach that Singapore has ever experienced , as well as the sensitive and confidential nature of the patients’ data.
PDPC also said that the penalties took into account the fact that IHiS and SingHealth were cooperative throughout the investigations and took immediate remedial actions. The commission recognised that both organisations were victims of a skilled and sophisticated threat actor. The attacker bore the characteristics of an Advanced Persistent Threat group – using numerous advanced, customised and stealthy tools and carrying out its attack over a period of more than 10 months.