Following the discharge of the general public report by the Committee of Inquiry (COI) for the SingHealth cyberattack which occurred in July 2018 and Integrated Health Information Systems (IHiS) taking disciplinary motion on workers members concerned in the incident and senior administration crew workers, the Personal Data Protection Commission (PDPC) has imposed monetary penalties on each IHiS and SingHealth, in response to an official assertion.
The PDPC administers the Personal Data Protection Act 2012 (PDPA) in Singapore, which goals to safeguard people’ private data towards misuse and promote correct administration of non-public data in organisations. PDPC’s investigations into the data breach arising from a cyberattack on SingHealth’s affected person database system, discovered that IHiS had did not take enough safety measures to guard the private data in its possession. PDPC has imposed a monetary penalty of S$750,000 on IHiS.
A monetary penalty of S$250,000 has additionally been imposed on SingHealth because the proprietor of the affected person database system. PDPC discovered that the SingHealth personnel dealing with safety incidents was unfamiliar with the incident response course of, overly depending on IHiS, and failed to know and take additional steps to know the importance of the knowledge supplied by IHiS after it was surfaced.
These monetary penalties (a total of S$1 million) are the very best ever imposed by PDPC to-date. PDPC took under consideration the truth that the data breach was the biggest breach that Singapore has ever skilled, in addition to the delicate and confidential nature of the sufferers’ data.
In addition, the penalties took under consideration the truth that IHiS and SingHealth have been cooperative all through the investigations and took rapid remedial actions. PDPC additionally recognised that each organisations have been victims of a talented and subtle menace actor bearing the traits of an Advanced Persistent Threat group, utilizing quite a few superior, customised and stealthy instruments and finishing up its assault over a interval of greater than 10 months.