Systems managers and CEO are dismissed and sued after massive health data breach

Two officials were dismissed and a general manager was fined for massive data theft on the health system in Singapore

The Integrated Health Information Systems of Singapore (IHIS) fired two managers, in addition to fine five high-level employees, including Bruce Liang, CEO of the company, for their responsibility in the SingHealth system massive data breach the last year, as reported by network security specialists from the International Institute of Cyber Security.

It is estimated that the incident affected about 1.5 million people, nearly one-third of the total population in Singapore. According to specialists in network security, the attackers accessed to personal details such as:

  • Patients’ full names
  • Dates of birth
  • NRIC (National Registration Identity Card) personal identification numbers
  • Ethnic and racial details

In addition, details concerning the health of over 150k patients (such as diagnoses or treatments) were also stolen; the people affected by this incident include Lee Hsien Loong, Prime Minister of Singapore.

The Singapore Ministries of Health and Communications defined this incident as “a deliberate, well-defined and planned cyberattack campaign”, although subsequent investigations by network security experts confirmed that a human error was fundamental for this incident to materialize: “while SingHealth implements the necessary technical controls, two high-level employees turned out to be negligent in their work”.

The researchers criticized the poor server configuration of Lum Yuan Woh, the leader of the Citrix team, as they considered that “unnecessary risks were introduced to the system”. On the other hand, Ernest Tan, SingHealth Incident Response Team Manager, was criticized for “ignoring the due process of security incident notification”.

Another five senior employees were also reported as responsible for data theft, but their mistakes were not considered serious enough to warrant dismissal. Four of these employees were fined, while the remaining employee was transferred to a position with lower responsibilities.

According to the experts, SingHealth employees committed three fundamental errors:

  • They were unable to install software patches on their systems, allowing attackers to exploit an Office vulnerability and gain access to one of the employees’ PC
  • The SingHealth team took at least a year to identify the data breach. Hackers accessed the system for the first time in August 2017 and, over a year, managed to distribute malware and infect other computers on the network without being detected
  • Employees used weak passwords (p@ssw0rd, for example). This is one of the most serious errors that a sysadmin can commit, because the simple configuration of a strong password can prevent multiple attacks

Unfortunately these problems are not unique to the SingHealth team; human errors are one of the main causes of data breaches, and all organizations must adopt the relevant policies to mitigate the risks arising from these flaws.