Fines of SG$6,000 imposed on National Healthcare Group for Data Breach

Fines of SG$6,000 imposed on National Healthcare Group for Data Breach

SG$6,000 (approximately $4,452) for the disclosure of sensitive information from 129 general practitioners was fined by the National Health Group (NHG), a group of public hospitals and polyclinics. After a practitioner found an error and the organization was notified, the problem became obvious. The incident took place on 7 February 2018, and NHG immediately resolved the cause of the incident. Full names, pictures, contact details, NRIC numbers, e-mail addresses and clinic addresses were all included in the information displayed.

The Singapore Public Privacy Authority, personal data of general practitioners, NHG partner doctors and the five members of the general public were reported online, according to the Personal Data Protection Board (PDPC) CNA.

PDPC argued that NHG did not make reasonable data security safeguards and thus contravened the Personal Data Protection Act. It stressed that NHG failed in its network systems to correct known vulnerabilities that permit unauthorized access to information that is sensitive.

PDPC fined its PC Vendor Choice Gift $4,000 last year for distributing 426 National Servicemen’s personal information. The Commission stated that the violation of paragraph24 of the Personal Data Protection Act by Option Gift has been discovered, exposing sensitive data.

The data affected included information such as login ID, e-mail addresses and delivery addresses of NSmen from the Singapore Armed Forces (SAF) and Home Team mobile. The problem arose because of a technological error in the Unique Rewards, an online portal operated by choice donation, which enables the Ministry of Defense (MINDEF) and Ministry of Interior to redeem credit for service-related rewards. The PDPC stated that Option Gift could not perform sufficient testing before the program script was deployed.PDPC alleged NHG had not provided adequate protections for data security, thus violating the Personal Data Protection Act.