The largest healthcare provider in Singapore, SingHealth, has suffered a massive data breach affecting a huge portion of the city-state’s population, including Prime Minister Lee Hsien Loong, the Singapore Ministry of Health announced Friday.
Some 1.5 million people who visited specialist outpatient clinics and polyclinics run by the company over a three-year period were affected, authorities said. Singapore is home to 5.6 million people, according to the latest population estimates.
“The security and confidentiality of patient information is a top priority,” Prime Minister Lee said Friday in a Facebook post responding to the hack.
“We are convening a Committee of Inquiry to look thoroughly into this incident. It will doubtless have valuable conclusions and recommendations, which will help us do better,” he said.
Attackers were able to infiltrate SingHealth’s system, and illegally access and copy what the company called the “non-medical personal particulars” of people who visited the clinics from May 2015 until July 4 this year. That includes names, addresses, dates of birth and identity card information.
The outpatient medication data of some 160,000 patients was also compromised, including Lee, who said he was specifically targeted.
“I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me. If so, they would have been disappointed,” he said.
Singapore’s Health Ministry said that hackers did not access any diagnoses, test results or doctors’ notes. In a separate Facebook post, the company said the attackers were not able to obtain any patient phone numbers or financial information.
A police investigation is continuing.
Authorities first noticed unusual activity in one of SingHealth’s IT databases on July 4, according to the Health Ministry’s news release. It was confirmed to be a cyberattack six days later. The attackers were found to have breached a front-end workstation to obtain privileged credentials.
“This was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs,” the Health Ministry said.
The company provided a website so customers can check if they were among those affected and is contacting all patients.
Eric Hoh, a top executive at the cybersecurity firm FireEye, said he believes this incident should serve as a wake-up call to some of Singapore’s neighbors.
“Many businesses and governments in Southeast Asia face cyber threats, but few recognize the scale of the risks they pose. Singapore ranks among the leaders in cybersecurity, and we would like to see more governments follow their lead in disclosing breaches,” he said in a statement.
“There are no quick fixes to the cybersecurity challenge, and breaches are inevitable. It’s important that business and governments work together to improve our collective security so that when breaches do occur, we can minimize the consequences.”
CNN’s Jo Shelley, Sandi Sidhu and Yazhou Sun contributed to this report