Spilt Milk and SingHealth Data Breach

As we digest news of our massive SingHealth data breach, let’s take a step back to assess how we’re dealing with the incident. We aren’t the first country to experience a major healthcare data breach. How are we doing compared with other countries, and what can we learn from ourselves as well as from others?

This SingHealth data breach involved personal data of 1.5 million patients, including information on outpatient dispensed medicines of some 160K of them. This is a serious breach, even though in absolute numbers, it’s very small compared with healthcare data breaches in other countries.

The largest healthcare data breach in the world to date is the Anthem medical data breach in the U.S. It was reported in early 2015 and affected 78.8 million people. Shocking, yes. Anthem is a health insurance provider. They lost more data types than what is reported for ours, but at the basic level, also included name, social security number (which can be compared with our NRIC number), address, and date of birth. In the aftermath after disclosure, Anthem offered free identity theft protection and credit monitoring services for two years, and settled several class-action lawsuits at a cost of US$115 million.

The 2015 year was a terrible year for the U.S. healthcare industry, because the 2nd largest data breach happened the same year, again in the U.S., this time involving another health insurance provider, Premera. They, too, lost medical records and financial information, on top of personal data. In the aftermath, Premera offered free credit monitoring and identity theft protection, also for two years.

These two cases show that SingHealth could at least try to do something more concrete for affected people. We are fortunate that SingHealth’s data breach didn’t involve much more information, though I’m suspicious if there is more to it than they’re letting on.

Identity theft is a very real threat and it can seriously disrupt our lives. I feel SingHealth, and our multi-ministry response to this data breach, could have dealt with this matter more extensively and more seriously. Text messages that SingHealth sent to patients to inform that their personal data was compromised added that, “no action required”, comes across as very irresponsible to me. Elsewhere they have advised affected people to “heighten online vigilance” and to secure “online credentials with strong passwords”.

Your personal data has been compromised, enough that criminals can use to get through account verification practices of many organisations. What does “no action required” mean? Are they saying that since there’s no easy fix anyway, hence no action required?

I understand changing your address won’t really address (no pun intended) the issue, because you can’t change your NRIC number or your date of birth. Some 25% of our population has been affected by this breach. Can we do more to address this concern?

Anthem’s and Premera’s offer of identity theft protection and credit monitoring, common in other data breach incidents in the U.S., at least provides some assurances to affected people that they’re being taken care of.

In Singapore, the PR strategy seems to be to downplay the severity of the incident, so that people will not panic. That’s not right.

I thought Health Minister Gan Kim Yong’s apology for the data breach was a great start. But we’re getting mixed signals after that.

At times, I think the government really needs to hire better PR people. The excuses of “unprecedented breach” sounds like they reused the prepared text from the 2017 Mindef cyberattack. CSA CEO David Koh says of this breach as “deliberate, targeted and well-planned cyber attack”. Same as last year’s “targeted and carefully planned” breach at Mindef. He also said “it was not the work of casual hackers or criminal gangs”, apparently the same “not the work of casual hackers or criminal gangs” as he said last year. (Refer 20 July 2018 article and 28 February 2017 article.) No PR fella to update the template?

I sometimes wonder about Mr Koh’s definition of casual hackers and criminal gangs. Would they be individuals and tech-savvy gangsters who try persistent password guessing? Would attendees of Black Hat Asia 2018 in Singapore be suspects in this cyberattack?

My last post was a bit critical of our government’s handling of the matter. We should be. Some people say with 20/20 hindsight, it’s easy to criticise anything. But I’m not talking about how the breach should not have happened. My point is about how the breach should now be handled. It’s still not too late to fix that. Can the government please address the serious matter of potential identity theft?

I totally agree there’s no point crying over spilt milk, even though we should investigate how the milk was spilt. Sure, let’s move on, but surely just saying we’ll learn how not to spill milk henceforth and that the spilt milk wasn’t really a big deal, that’s just not right? Shouldn’t we look at how to clean up the spilt milk, if the spilt milk might have caused incidental or consequential damages, how do we remedy or mitigate those damages, and transparently communicate with all stakeholders over the spilt milk?

This is a massive breach, but what we’re getting is “no action required”, “basic demographic data”, and “no strong commercial value”. We’ve plugged the milk leak (we were so smart about that!) but we’ll just leave the spilt milk there, it’s no big deal, no one really wanted the milk anyway?