Hackers search for PM Lee's medical records using his NRIC number

This article is more than 12 months old

He was one of three people targeted in SingHealth cyber attack, COI hearing told

Hackers who infiltrated the SingHealth database had specifically searched for Prime Minister Lee Hsien Loong's personal data, using his NRIC number.

He was one of the three people targeted in direct queries made to the database using their NRICs.

The other two were not named, but they are known to not be VIPs, according to the testimony of one witness yesterday, the second day of the public hearings to investigate the SingHealth cyber attack.

The hearings come after a Committee of Inquiry (COI) convened in private on July 24 to inquire into the events contributing to the breach, which took place between June 27 and July 4 this year.

The four-member panel, which is headed by former chief district judge Richard Magnus, held its first hearing behind closed doors on Aug 28.

The SingHealth cyber attack - the worst of its kind in Singapore that compromised the personal data of 1.5 million patients - led to the leakage of outpatient prescription information of 160,000 people, including Mr Lee and several ministers.

During yesterday's hearing, three employees from the Integrated Health Information Systems (IHiS) - an agency that runs the IT systems of public healthcare institutions - gave evidence on what had gone on behind the scenes when the attack was detected.

One of them, Mr Chai Sze Chun, assistant lead analyst in the IHiS' service delivery division, said a number of queries had been run on the Sunrise Clinical Manager (SCM) database between June 26 and July 8.

This started off as reconnaissance on the database, before the person made direct queries on three NRIC numbers.

One of these belonged to Mr Lee, and the other two to "non-VIPs".


The rest of the queries made were more general and related to patient demographic data, Mr Chai said.

For example, one query sought to retrieve the first 20,000 records of patient demographics from the Singapore General Hospital (SGH).

Giving his testimony yesterday, Mr Chai said that on July 4, he received text messages alerting him to possible performance issues with the SCM database server.

This led him to notice a particular query that had been running for "quite a while" in the database.

The query stopped running, but Mr Chai decided to investigate further.

He realised the combination of the program used to run the query, the account used to access the data, and the work station used for the program was "unusual".

Mr Chai said he had not seen queries similar to this one before.

He tried to trace the user who had run the query but was unable to do so. That day, he sent e-mails to relevant parties about the query.

Mr Steven Kuah, an assistant director in the IHiS' Clinical Care Department and Mr Chai's superior, as well as Mr Chan Chee Choong, manager of the SingHealth Active Directories Team for users in SGH, also testified at the hearing yesterday.

The high-level COI had heard on the first day of the public hearing last Friday that part of the problem leading to the attack was a lack of situational awareness and tardy response.

Yesterday, Solicitor-General Kwek Mean Luck, who has been designated by the Attorney-General to lead evidence in the inquiry, said Mr Chai's statement was among the examples of initiative shown by IHiS staff.

He said Mr Chai's actual job scope involved ensuring operational efficiency and not cyber security.

"Nevertheless when faced with (this matter), he was alert and showed initiative in investigating this security incident," said Mr Kwek, a Senior Counsel.