72 HealthHub accounts suspected to be hacked
Checks show about 70 accounts were affected but access to data was limited to basic tier of portal
About three months after the cyber attack on SingHealth's database, a number of HealthHub accounts were recently accessed illegally by hackers.
As in the SingHealth attack, the latest breach also occurred under the watch of Integrated Health Information Systems (IHiS), which runs the IT systems of all public healthcare operators in Singapore.
In a press statement yesterday, the Health Promotion Board (HPB) and IHiS said they were alerted by a user who suspected her e-mail account had been used without authorisation to access the HealthHub portal.
HealthHub, which is owned by HPB, is a gateway to citizens' medical records, prescriptions and clinic appointments.
Investigations found "higher than usual attempted log-ins" to the portal on Sept 28, Oct 3, 8 and 9. The attempts were made using more than 27,000 Facebook IDs and e-mail addresses.
About 98 per cent of them were not registered on HealthHub, and invalid passwords were used on some registered HealthHub account IDs.
However, 72 accounts were discovered to have been accessed. These were locked and HPB advised the account holders on how they could unlock their accounts and reset their passwords.
Some of these users have since verified they had logged into their accounts themselves.
Access to the HealthHub mobile application and website e-services were also suspended from Oct 9 to 14 as the suspected hack was investigated.
Access to the e-service has since been restored.
The statement said that due to the "suspicious volume" of e-mail addresses not registered with the portal, it is likely that the addresses were "obtained from external sources".
There was also "no evidence of a breach" in the HealthHub system, with access of the system limited to the basic tier of the portal, which contained only details of user profiles and points accumulated from participation in HPB programmes.
The limited access was attributed to the requirement of the SingPass and two-factor authentication (2FA) for access to other e-services, which were not affected.
HPB has made a police report.
In July, the Ministry of Health and Ministry of Communications and Information revealed that 1.5 million SingHealth patients' records were accessed and copied while 160,000 of those had their outpatient dispensed medicines' records taken in what was described as the "most serious breach of personal data" in Singapore's history.
Prime Minister Lee Hsien Loong's data was said to be repeatedly targeted in the breach, which occurred in late June.
A four-member Committee of Inquiry (COI) was convened to look into the SingHealth breach, and the hearings are still ongoing.
Yesterday's statement said the log-in credentials used for the basic tier of HealthHub are not the same as the data that was exfiltrated during the SingHealth cyber attack.
The nature of the incidents are also different.
HPB and IHiS said they will continue to strengthen system surveillance to ensure the security of HealthHub and reminded users to use strong passwords for their accounts.
Asked why hackers had attacked two Singapore health platforms in a matter of months, Mr Steven D'sa, director of South-east Asia at cybersecurity firm FireEye, said: "Health data is valuable for various reasons. In this recent case, there hasn't been much information released about the attackers, so it is hard to say what their motives were."
He added that it is commendable for organisations to come out publicly about such cybersecurity incidents.
"When incidents like these become known, we receive a wave of questions from businesses and agencies asking how they can improve their security, and it really helps drive corrective action," he said.
"This incident doesn't mean a lot for the average Singaporean, but it is a reminder that most of us remain vulnerable to similar efforts, and we should use strong, unique passwords on all accounts."
Get The New Paper on your phone with the free TNP app. Download from the Apple App Store or Google Play Store now