IHiS CEO Bruce Liang has received a slap on the wrist for the SingHealth hacking – Singapore’s worst-every cyber attack which saw the medical records of 1.5 million patients including Prime Minister Lee Hsien Loong stolen.
According to IHiS, the vendor tasked with managing SingHealth’s IT system, Liang and 5 other members of the senior management team each received a “significant” financial penalty for their “collective leadership responsibility”.
Two IHiS employees were sacked, and a “moderate” financial penalty was imposed on 2 middle management staff who were supervisors of the sacked employees.
IHiS refused to give further details about the punishments, but did state that letters of commendation were given to 3 staff who were “proactive and demonstrated resourcefulness” in managing the cyber attack.
That’s where the buck stops, it appears, despite a Committee of Inquiry’s findings that the most basic of cyber security failings resulted in ability of hackers to breach the system.
Despite the government, on its own accord, consolidating the public data in the hands of a central entity, in this case SingHealth, the public has no clear recourse when a data breach or violation involves a government entity.
This, because the public sector is not included under Singapore’s Personal Data Protection Act.
So far, no penalties have been announced for neither Minister-in-charge of Cyber Security, S Iswaran, nor SingHealth Group CEO Ivy Ng.