“Appropriate action has been taken… But, for national security reasons, I will not comment further.”
That was the explanation given in parliament yesterday by Minister-in-Charge of Cybersecurity S. Iswaran for the SingHealth data breach.
Data of 1.5 million patients, including Prime Minister Lee Hsien Loong, were stolen by hackers in the worst-ever cyber-attack to hit Singapore.
160,000 people, including PM Lee and a few ministers, had their outpatient prescriptions stolen as well.
The June 2018 cyber-attack, according to the government, was state-orchestrated and the identity of the perpetrator is known.
However, Mr Iswaran refused to name the state involved, saying that is in Singapore’s national interest.
“I don’t think we should reduce whether we have confidence in the sense of justice to just one specific point: that there’s no public attribution of the perpetrator.”
Even as he declined to name the state involved, Mr Iswaran refused to disclose what measures have been taken against to seek justice for victims.
He would only reveal that government agencies have trawled the Dark Web and no patient data has been found to be leaked.
Regarding the lack of disclosure by Mr Iswaran, Pioneer SMC MP Cedric Foo noted in parliament that “there seems to be a vacuum as far as the sense of justice”
IHiS, the agency responsible for maintaining the SingHealth’s IT system, has since been fined S$750,000 for the data breach by the Personal Data Protection Commission.
IHiS CEO Bruce Liang and several other senior management staff were given a fine, while 2 employees were sacked.
SingHealth received a S$250,000 fine.
IHiS and SingHealth are wholly owned subsidiaries of MOH Holdings, the holding company through which the Singapore Government owns the corporatised institutions in the public healthcare sector.