"Sophisticated" Cyber-Attack Compromises Patient Data at Private Health Clinic

Personal and clinical data of more than 73,000 patients have been affected by a “sophisticated ransomware cyber-attack” on a private medical clinic in Singapore.

In a press release, Eye & Retina Surgeons revealed the attack took place on 6 August, compromising sensitive data including patients’ names, addresses, ID card numbers, contact details and clinical information. However, no credit card or bank account details were accessed or compromised in the incident.

“Patients are now being progressively informed of this cyber-incident,” the release stated.

The clinic confirmed that the attack impacted servers and several computer terminals at its branch in Camden medical, although none of its other branches were unaffected. Thankfully, none of the eye specialist’s clinical operations were affected, and its IT systems are now securely restored.

The company noted it “maintains segregated networks and active medical records are maintained separately on a cloud-based system and thus were not accessed or compromised.”

The incident was reported to the Personal Data Protection Commission and the Singapore Computer Emergency Response Team (SingCERT), while the Eye & Retina Surgeons’ IT team is working with the Cybersecurity Agency of Singapore (CSA) and the Ministry of Health (MOH) to investigate the causes and perpetrators of the attack.

The clinic said there is no evidence that any compromised data has been published, but it will continue to monitor the situation. It added: “(Eye & Retina Surgeons) regrets this breach and wishes to assure its patients that it takes patient confidentiality very seriously.”

In a separate statement, Singapore’s MOH reassured citizens that the compromised systems are not connected to its own IT network, including the National Electronic Health Record, and “there have been no similar cyberattacks on MOH’s IT systems.”

It added: “Following this incident, MOH will be reminding all its licensed healthcare institutions to remain vigilant, strengthen their cybersecurity posture, and ensure the security and integrity of their IT assets, systems, and patient data. It is only through the disciplined maintenance of a safe and secure data and IT system that healthcare professionals will be able to deliver accurate and appropriate care and uphold patient safety.”

Commenting on the story, Jonathan Knudsen, senior security strategist at the Synopsys Software Integrity Group, said: “Every organization is a software organization, even an eye clinic. All organizations, no matter their size or industry, must include cybersecurity as part of their day-to-day operations. A comprehensive, proactive approach to security reduces risk for the organization and its customers.

“In the case of Eye & Retina Surgeons, segmenting the network between administrative functions and medical data was a smart defensive move and prevented this attack from being much worse. This technique is part of the basic security hygiene that all organizations should practice. Even with the best defenses, things can still go wrong. Incident planning helps the organization be prepared to remediate problems and notify customers and authorities.”

What’s Hot on Infosecurity Magazine?