PDPC slaps fines totalling $1m on SingHealth and IHiS for data breach
PDPC slaps highest-ever fine for cyber attack in June
The Personal Data Protection Commission (PDPC) has imposed the highest fines ever by slapping SingHealth and Integrated Health Information Systems (IHiS) with $1 million in fines over last June's cyber attack.
In a statement yesterday, the PDPC said it conducted its own investigations after the incident came to light.
It decided to fine IHis, the central IT agency for the public healthcare sector, $750,000.
SingHealth, whose patient database system was breached, was fined $250,000.
The PDPC said it took into account the scale of the data breach, Singapore's largest-ever, and the confidential and sensitive nature of the data leaked.
Personal particulars of about 1.5 million patients and 160,000 outpatient medication records, including those of Prime Minister Lee Hsien Loong, were stolen by a cyber attacker, believed to have been state-sponsored.
IHiS was fined for failing to take adequate security measures to protect the personal data in its possession.
The PDPC said: "Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers."
It found that the person in charge of handling security incidents for SingHealth was unfamiliar with the incident response process and was overly dependent on IHiS.
The individual also failed to understand and take further steps to understand the significance of the information provided by IHiS after the attack was surfaced.
The PDPC said IHiS and SingHealth were cooperative throughout the investigations and took immediate remedial actions, mitigating factors that it took into account when meting out the fines.
It also recognised that both organisations were the victims of a skilled and sophisticated threat actor, who used advanced and customised tools during the attack.
In its grounds of decision, the PDPC said that without these mitigating factors, it would have imposed the maximum financial penalty allowed under the Personal Data Protection Act (PDPA) against IHiS - $1 million - and a significantly higher penalty against SingHealth.
SingHealth had earlier appealed to the PDPC for a reduced fine.
But the PDPC said in its grounds of decision: "The fact that an organisation has adequately implemented other protection policies will not operate to absolve or mitigate liability for breaches."
SingHealth and IHiS have accepted the PDPC's decision.
SingHealth chairman Peter Seah said in a statement yesterday: "As the owner of the data, we accept responsibility and apologise to our patients for the incident. The SingHealth senior leadership, including its group CEO, has voluntarily accepted a financial penalty."
On Monday, IHiS fired two of its employees, a Citrix team lead and a security incident response manager, for their negligence during the attack.
A cluster information security officer was demoted and redeployed, and five senior management members including chief executive Bruce Liang, were slapped with significant financial penalties.