Healthcare provider hit by cyber-attack earlier this month
A ransomware attack at a Singapore eye clinic has potentially exposed the personal data of more than 73,000 patients.
The security incident at Eye & Retina Surgeons (ERS) happened on August 6, confirmed Singapore’s Ministry of Health in a statement.
ERS also notified police, the Personal Data Protection Commission, and Singapore’s Computer Emergency Response Team.
It has not yet been confirmed how many people had their information compromised or what type of datasets may have been accessed.
Government steps in
In light of the incident, the government has instructed ERS to work with the country’s federal cybersecurity agency to take mitigation actions and implement stronger cyber defenses.
“The government takes a serious view of any cyber-attack, illegal access of data, or action that compromises the integrity, confidentiality, and availability of data and IT systems in Singapore,” the statement read.
It also cited laws mandating that licensed medical organizations must implement “adequate safeguards” to protect healthcare records against accidental or unlawful loss, modification or destruction, or unauthorized access, disclosure, copying, use or modification.
They must also “periodically monitor and evaluate such safeguards in place to ensure that they are effective and being complied with by the persons involved in handling medical records”.
It added: “Following this incident, MOH will be reminding all its licensed healthcare institutions to remain vigilant, strengthen their cybersecurity posture, and ensure the security and integrity of their IT assets, systems, and patient data.”
Law of the land
Singapore’s data breach notification law, enacted in 2021, states that “notifiable” breaches must be reported to the data protection office.
For a breach to be notifiable, it must either cause significant harm to those individuals whose information has been exposed, and/or amount to more than 500 individuals.
An organization must notify the Cybersecurity Commissioner as soon as possible, no later than three calendar days. Penalties could include a fine of up to 10% of an organization’s annual turnover or SGD 1 million ($742,000), whichever is highest.