On 21 July 2018, a cyberattack on SingHealth resulted in theft of information including names; NRIC; address; gender; race; and date of birth of 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018. Additionally, 160,000 patients had outpatient prescription information stolen as well. SingHealth has stated that diagnosis, test results, doctors’ notes, mobile numbers, medical records, and financial information all remained intact. The attack is suspected to be state sponsored, targeting data on Prime Minister Lee Hsien Loong in particular.
There have already been attempts by various parties to capitalize on the situation via fake SMS or fake phone calls that seek to obtain further personal or financial information or to create panic on the extent of data stolen. SingHealth has reiterated that it will not contact those affected by phone, but limit communication to through SMS or letter.
Victims of the data theft are exposed to certain broad risks such as identity theft whereby the NRIC number is used to fabricate a fake NRIC card, which can then be used for various illegal purposes like to borrow money in the victim’s name. Victims may also be subject to phishing attempts and scams, which trick the viewer into disclosing further sensitive information such as passwords or persuading the viewer to undertake detrimental actions like making cash transactions to strangers.
Finally, the risks are heightened for high net worth individuals (HNWIs) as stolen data may be combined with extensive profiling efforts to increase the success rate of identity theft or scams conducted against HNWIs. Blackmail may also occur if a HNWI has sensitive medical information stolen or if additional secrets are uncovered through profiling.
Security experts have postulated several scenarios which involve the use of stolen data. Firstly, fake phone calls may be made claiming to be from a Singapore government agency such as the police which then states that you have committed an offence and either provides a link to follow or requests further information from you. Secondly, perpetrators may make a phone call to you or your loved ones stating that one of you is overseas and has either been involved in an accident, gotten into trouble with law enforcement, or kidnapped; followed by instructions to perform certain actions to your detriment.
You should immediately ascertain if you are affected by the SingHealth hack via any of SingHealth’s official notification methods. If your data was stolen, be on the lookout for fraudulent activity in your communications and financial statements. Do not entertain any suspicious SMS and phone calls and instead verify any information given via known channels such as official hotlines. If you suspect a scam attempt on you citing a loved one overseas, contact the latter immediately or approach the Ministry of Foreign Affairs for assistance. Always verify the URL and website appearance before entering any sensitive information such as passwords. Finally, always adequately destroy documents containing sensitive information before disposal.
For more details,
Please e-mail us at email@example.com