Singaporean company IHiS sacked two employees and fined five top executives, including a managing director, during the June 2018 SingHealth cyberattack, in which 1.5 million personal data were stolen


SINGAPORE: Integrated Health Information Systems (IHiS) fired two employees for negligence following a cyber attack on SingHealth, in which personal information of 1.5 million patients was stolen, including Prime Minister Lee Hsien Loong.

IHiS, the central IT agency responsible for the health sector in Singapore, said Monday (January 14th) that it also imposed a "significant" financial penalty on five members of management, including General Manager Bruce Liang. , "for their collective responsibility to the management".


A "moderate" fine will be imposed on two supervisors in the middle management who were the supervisors of the two dismissed employees.

IHiS refused to give more details on the pecuniary sanctions.

READ: Singapore's health system is the victim of "the most serious violation of personal data"; PM Lee's data is targeted

READ: If they were trying to embarrass me, they would have been disappointed: Prime Minister Lee on SingHealth cyberattackers



The decision came after IHiS appointed an independent committee in November to review the people involved and to provide a set of recommendations to its board of directors, which "fully accepted" these recommendations.


A Citrix team leader and a security incident response officer were found to be "negligent and orderly non-compliance," which had an impact on security and contributed to "the scale without previous incident ".

Although the Citrix team leader has the necessary technical skills, his attitude towards security and the configuration of his servers have created unnecessary and significant risks for the system, said IHiS.

The security incident response manager had "persisted in misunderstanding" of what constituted a security incident, and when such an incident should be reported. His passivity, even after repeated alerts from his staff, led to missed opportunities that could have mitigated or avoided the effects of the cyber attack, IHiS added.

"Although there is no intention to provoke or facilitate the cyber attack, they have failed to fulfill the responsibilities entrusted to them," the company said in a statement. Press.

READ: IHIS officer hesitates before reporting an alleged violation

A Cluster Information Security Officer was also found to have misunderstood what constituted a security incident and not to abide by the IHiS incident reporting processes.

IHiS stated that the panel had taken into account mitigating factors such as its lack of aptitude, which made it unsuitable for this role. The agent will be demoted and redeployed to another role.


IHiS stated that letters of recommendation were sent to three employees, who had been diligent in handling the incident beyond the scope of their work and responsibilities. They were "proactive and ingenious" in managing the cyber attack, he said.

READ: The agent took the initiative to investigate even if it was not his job

IHiS President Paul Chan said the cyberattack recalled the need to be more vigilant and prepared for cyber threats.

"IHiS will learn from this incident and will work with the Ministry of Health and health clusters to implement the necessary changes that will help us emerge stronger," he added.

The cyberattack was the most serious violation of public data by Singapore. He saw the records of 1.5 million patients, including their names, numbers, and NRIC addresses, as well as other information accessed from June 28 to July 4 of last year. The data collected included drug registrations for nearly 160,000 patients.

Prime Minister Lee Hsien Loong was among those affected, with his attackers repeatedly targeting his personal information and information about his medications on an outpatient basis.

The Inquiry Commission (IOC) to investigate the SingHealth cyberattack has formulated seven priorities and nine additional recommendations in the public version of its report released last Thursday.

The recommendations focus on five broad areas, from creating a culture of cybersecurity to improving incident response capabilities.

READ: SingHealth IOC Report Released: System Vulnerabilities, Staff Failures, Skilled Piracy Leads to Cyber ​​Attack

READ: "The attacker could have been arrested": SingHealth COI report

Chaired by retired District Chief Judge Richard Magnus, the IOC's four-member team was tasked with defining the events and factors contributing to the cyberattack on the SingHealth Patient Database on June 27. 2007 or around this date, and "exfiltration" of network data.

IHiS said it has accelerated and implemented a series of 18 cybersecurity measures to strengthen its cybersecurity safeguards. In addition, staff engagement and training has been strengthened to increase vigilance and increase staff awareness of cybersecurity.

He added that he was studying the IOC conclusions and recommendations.

"The lessons and critical areas of improvement from the IOC report call for a paradigm shift in cybersecurity management," the company said.