How to avoid a large fine when a data breach occurs

24 January 2019

On 14 January 2019, the Singapore privacy regulator, PDPC (Personal Data Protection Commission) issued fines totalling SGD$1 million against SingHealth and IHiS for a data breach involving its patient database.



What happened?

SingHealth is the largest healthcare provider in Singapore operating four public hospitals and more than five national specialist care centres as well as a large number of polyclinics. Between 27 June and 4 July 2018, the personal data of nearly 1.5 million unique individuals, including Singapore's prime minister, was illegally accessed and copied from SingHealth's patient database. This included names, NRIC numbers, and residential addresses. About 159,000 patients also had their medical records accessed. A foothold in the network was gained in August 2017 via an infected workstation, which was then used to gain remote access to other workstations between December 2017 and May 2018. This allowed the attacker to appropriate two dormant administrator accounts, which were then used to gain access to servers that were in the process of being decommissioned, but which remained part of the network. Although the IHiS Security Incident Response Manager and the SingHealth Cluster Information Security Officer ("CISO") became aware of the cyberattack by 13 June 2018, IHiS senior management and the SingHealth Group Chief Information Officer were only informed on 9 July 2018. The cyberattack was announced to the public on 20 July 2018 by the Singapore Government.

The PDPC's decision

In coming to its decision, the PDPC clarified the scope of the security obligations under the Personal Data Protection Act 2012 (the "PDPA").

In particular, the PDPC clarified that while SingHealth engaged IHiS as a vendor, it still retained primary responsibility for ensuring that there were reasonable security arrangements in place to protect the personal data. In other words, an organisation may outsource tasks to third parties, but the responsibility for complying with, and the liability for failing to comply with, the PDPA, are non-delegable.

Part of an organisation's responsibility is to contractually impose upon a third party data intermediary the appropriate obligations and responsibilities. The PDPC citing guidance given by the Hong Kong Office of the Privacy Commissioner for Personal Data, and the Office of the Privacy Commissioner of Canada emphasized that organisations must also follow through to check that the outsourced provider is in fact complying with these obligations and responsibilities in delivering their service to the organisation.

The PDPC further found that SingHealth's ("CISO") had failed to comply with its own information security policies.

Regarding the failures of the vendor, IHiS, the PDPC commented that organisations handling large volumes of sensitive personal data need written policies accessible to staff, who should also have regular training sessions and exercises to ensure they are familiar with these policies and what role each employee has in recognising and reporting incidents. Notably, not only had IHiS staff not complied with instructions to implement firewalls on important servers, but IHiS had reported to SingHealth that the measures had been implemented without verification.

The PDPC also detailed the various measures it had found inadequate, and provided guidance on how they might be improved, including that:

  • IHiS had not implemented an effective password policy to ensure that passwords were strong and regularly changed);
  • The database lacked controls to detect bulk querying behaviour; and
  • Communications between local servers and offsite databases (such as those stored in a cloud) should have been controlled by firewalls and monitored.

The PDPC recommended that organisations holding large amounts of personal data should consider implementation of database access monitoring. The PDPC further clarified that the appropriate degree of protection to be afforded depended on the quantity and sensitivity of the personal data. It observed that the health sector handles some of the most sensitive types of personal data and that it considered medical records "very sensitive personal information". These comments suggest that organisations that hold sensitive personal data such as health data need to apply a higher standard of protection for that personal data.

What you can learn

  • The PDPC's decision in relation to the first large scale data breach makes it clear that such data breaches will be taken seriously and attract significant penalties.
  • Companies handling personal data will need to ensure that their employees are properly trained
  • Companies outsourcing security functions need to take steps to ensure their vendors are in fact meeting data protection obligations. The fact that IT systems or services are outsourced to a vendor will not absolve an organisation from responsibility when the vendor fails to meet its obligations under the PDPA. It is incumbent on the organisation to monitor the vendor and ensure that the PDPA obligations are met.
  • Companies handling sensitive personal data such as health, biometric and financial data will be expected to ensure that the security systems in place are of the highest standards.

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.