National Healthcare Group Fined SG$6,000 for Data Breach

The National Healthcare Group (NHG), a group of public hospitals and polyclinics, was fined SG$6,000 (approximately US$4,452) for exposing sensitive data of 129 general practitioners. The issue came to light after one of the practitioners found a bug and then notified the organization. The incident occurred on February 7, 2018, and NHG fixed the cause of the incident immediately. The exposed information included full names, photographs, contact details, NRIC numbers, mailing addresses, email addresses, and clinic addresses.

According to the Personal Data Protection Commission (PDPC), Singapore government’s privacy authorization body, personal information of general practitioners, partner doctors of NHG, and five members of the general public was exposed online, the CNA reported.

PDPC claimed that NHG failed to make reasonable security arrangements for data security and thus violated the Personal Data Protection Act. It also stressed that NHG neglected to fix known vulnerabilities in its network systems that allowed unauthorized access to sensitive information.

Last year, PDPC fined its computer vendor Option Gift US$4,000 for disclosing personal information of 426 NSmen (National Servicemen). The commission stated that it discovered Option Gift’s violation of section 24 of the Personal Data Protection Act, which exposed sensitive information.

The compromised data included information like log-in identifications, e-mail addresses, delivery addresses, and mobile phone numbers of the NSmen from the Singapore Armed Forces (SAF) and Home Team. The issue occurred due to a technical flaw in UniqueRewards, an online portal maintained by Option Gift, which allows NSmen to redeem credits for service-linked rewards from the Ministry of Defence (MINDEF) and the Ministry of Home Affairs (MHA). The PDPC stated that Option Gift had failed to conduct enough testing before deploying the program script.