Hackers breached the Singapore government’s health database with a “deliberate, targeted and well-planned” cyberattack, accessing the data of about 1.5 million patients, including Prime Minister Lee Hsien Loong, for almost a full week.

The cybercriminals initially breached a front-end workstation to gain privileged account credentials to obtain privileged access into the database. Officials said they detected unusual activity on July 4, but the hack began on June 27.

The investigation found the hackers didn’t tamper with the records, rather they exfiltrated the data. Officials said the attack was well-planned, and it wasn’t the work of “casual hackers or criminal gangs.”

According to the official statement, hackers targeted clinical visits between May 1, 2015, and July 4, 2018. All patients who visited SingHealth’s outpatient clinics and polyclinics during that time period were included in the breach. Patient care was not disrupted during the attack.

The stolen data contained demographic information and patient identification numbers. Medical information like diagnoses and test results weren’t included. However, for 160,000 patients, including the prime minister, the hackers stole data on outpatient-dispensed medications.

Upon discovery, officials said they immediately worked to stop further unauthorized access and notified authorities to investigate. During that time, the hackers continued their attempts to access the system. But all suspicious activity ended on July 4.

Since the attack, the health system has tightened up its security measures, which included temporarily “imposing internet surfing separation.” Officials said they’ve also increased controls on workstations and servers, reset user and systems accounts, and installed additional system monitoring controls.

“Similar measures are being put in place for IT systems across the public healthcare sector against this threat,” officials said. “The Ministry of Health has directed [the health system] to conduct a thorough review of our public healthcare system, with support from third-party experts, to improve cyber threat prevention, detection and response.”

“Areas of review will include cybersecurity policies, threat management processes, IT system controls, and organizational and staff capabilities,” officials said. “Advisories have been sent to all healthcare institutions, public and private, on the cybersecurity precautions and measures to be taken.”

The government’s minister in charge of cybersecurity will be establishing an inquiry committee to externally review the cyberattack. While Singapore doesn’t fall under HIPAA, it’s breach serves as a strong reminder that countries and government health services continue to be targeted by hackers.

Atlanta’s government systems went down for several days after a targeted cyberattack, while Germany’s network was attacked by hackers who targeted the private network of the interior minister.

Just this year, the U.S. and U.K. found the Russian government was behind the global Petya attack in June 2017. The wiper malware destroyed the IT systems of several major companies like FedEx and Merck, but also several U.S. health systems that had to replace entire networks to recover.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com