SINGAPORE – Farrer Park Hospital has been fined $58,000 over a data breach that led to personal data of 3,539 individuals being leaked.
Of these, 1,923 individuals had their medical records disclosed.
The confidential data was leaked through 9,271 e-mails that had been automatically forwarded to an undisclosed third-party recipient over nearly two years, said the Personal data Protection Commission (PDPC) in a judgment on the case dated Sept 15 and released on Friday.
Between March 8, 2018, and Oct 25, 2019, a total of 9,271 e-mails had been automatically forwarded from two of the hospital’s employees’ Microsoft Office 365 work e-mail accounts to an outsider’s e-mail address.
PDPC’s report did not provide further information on the third-party recipient.
The employees were from the hospital’s marketing department and handled personal information coming from patients and clients requesting medical treatment. The data collected includes the sender’s name, NRIC, birthdate, passport details, picture and contact number.
It also includes medical information, such as the patient’s medical condition and documents containing medical procedures, X-rays and other analysis.
In October 2019, the hospital’s helpdesk received a complaint that one of its e-mail accounts could not send outgoing e-mails.
The IT department soon discovered that two accounts were used without authority to automatically forward all incoming e-mails to a third-party e-mail account.
At that time, the hospital had implemented a suite of data protection measures and policies, such as a cloud-based filtering service to protect the organisation from e-mail threats, firewalls to prevent unauthorised access to its private network, and cyber-security training for its staff.
The work e-mail accounts of the hospital’s employees were hosted on Microsoft Office 365. But at the time of the incident, the accounts were not equipped with multi-factor authentication, which was only rolled out in June 2019.
The hospital has since disabled the auto-forwarding feature and ramped up internal cyber-security measures, said the PDPC, adding that the feature was a known security risk to organisations.
PDPC said it gave the hospital the benefit of the doubt that a lack of guidelines on cyber-security measures may have affected its assessment of the risks, but warned of enforcement action in future cases.
It added that the hospital’s marketing department ought to have implemented stronger security arrangements as it routinely handles a high volume of sensitive personal data.
The hospital lacked secure authentication methods that would include a combination of a passcode or digital key, which were implemented too late, it added.
The hospital reported that it appointed a private forensic expert to monitor the Internet and the dark Web from February to April 2020 and that it did not find any unauthorised disclosure of the personal data involved, said the PDPC.