Fullerton Health and its vendor fined after patients' data offered for sale on dark web
SINGAPORE: Fullerton Health Group and its vendor have been fined a total of S$68,000 after the vendor’s server was hacked, leading to customer data being put up for sale on a dark web forum in 2021.More than 150,000 patients of Fullerton Health as well as employees of its corporate clients were impacted by the breach.
The affected data included identity numbers, telephone numbers, financial details like bank account numbers and codes, as well as health information.
Fullerton Health was fined S$58,000, while Agape Connecting People Holdings – a social enterprise that helped to make appointments for patients of Fullerton Health – was fined S$10,000.
In a written judgment released on Thursday (Jun 22), the Personal Data Protection Commission (PDPC) found that Fullerton Health had made the situation worse by inadvertently disclosing personal data to Agape that the vendor did not require.
The healthcare provider was also ultimately responsible for exercising due diligence and reasonable supervision over Agape, added the PDPC.
Related:
WHAT HAPPENED
The case first came to light on Oct 15, 2021 when Fullerton Health realised its customer data was being peddled on a dark web forum.Its cybersecurity consultants made contact with the purported seller three days later, who claimed he had extracted the data from Agape’s internet-facing file server.
As part of its social enterprise initiatives, Agape had engaged the services of inmates from Changi Women’s Prison to help provide call centre and appointment booking services to Fullerton Health’s customers.
Fullerton Health gave Agape access to its customer data through Microsoft SharePoint, a cloud-based document management system.
In order for the inmates to access Fullerton Health’s customer data from within the prison premises, Agape downloaded the data onto a single personal computer that was authorised to access the SharePoint platform, before re-uploading the data onto its internet-facing file server.
The file server was then white-listed for the inmates to access.
By Oct 22, 2021, the dark web forum post had been removed. Shortly before, Fullerton Health and Agape had notified PDPC of the data breach.
Fullerton Health’s cybersecurity consultants confirmed that the incident solely involved and affected the file server. Its own systems and servers were not affected.
The personal data of 133,866 patients of Fullerton Health and 23,034 employees of Fullerton Health’s corporate clients were illegally accessed, though the exact volume of exfiltrated personal data was unknown, the PDPC noted.
Agape suspended use of the file server while Fullerton Health notified those who had been affected. Fullerton Health also engaged Credit Bureau (Singapore) to provide free credit monitoring services to affected individuals for six months.
Also read:
PERIODIC SECURITY REVIEWS ARE KEY
In its judgment, the PDPC said it has repeatedly emphasised the need for organisations to conduct periodic security reviews of their IT systems.While Agape had done this, the reviews did not cover the file server because it was a legacy feature unique to Agape’s engagement by Fullerton Health. Agape thus did not review and assess the file server’s security implication and risks.
When the data was breached, the password for the file server had also been inadvertently disabled for about 20 months. The cause could not be established.
This led to the file server becoming an “open directory listing on the internet with no password protection, and highly vulnerable to unauthorised access, modification and similar risks over an excessive period of time”, said the PDPC.
Before the password was disabled in December 2019, it had been shared between the inmates in order to access the file server. There was also no expiry date set for the password.
Meanwhile, Fullerton Health was obliged to exercise reasonable oversight of Agape’s data processing activities by regularly monitoring its personal data handling processes, said the PDPC.
As for whether Fullerton Health was aware of the uploading of customer data to Agape’s file server, and whether it permitted this, the PDPC said there was insufficient evidence to make a finding.
However, the fact remained that Fullerton Health knew Agape was engaging inmates. Fullerton Health should have made reasonable inquiries to determine how the customer data would be stored and transmitted, the PDPC said.
IMPACT OF INCIDENT WAS "AMPLIFIED"
In determining what financial penalty to impose, the PDPC noted that through the SharePoint system, Fullerton Health had inadvertently disclosed personal data only intended for its employees’ internal use.Agape did not need this data to provide its services. The PDPC said this led to the “impact of the incident being amplified”.
Fullerton Health was also the data controller and “bore the ultimate responsibility to exercise due diligence and reasonable supervision over Agape”, added the PDPC.
It considered the fact that Fullerton Health’s annual turnover, based on its latest available audited accounts, was almost 50 times higher than Agape’s.
In terms of mitigating factors, the PDPC noted that both had taken prompt remedial actions when the data breach came to light. They have also taken steps to prevent the incident from happening again.
In October last year, the maximum amount that a company can be fined for a data breach was increased to either 10 per cent of its annual turnover in Singapore or S$1 million, whichever is higher.
Previously, organisations that violate the Personal Data Protection Act would face a financial penalty of up to S$1 million.
Source: CNA/lt(zl)