PDPC slapped $750,000 penalty on IHiS for breaching data protection obligations

It also fined SingHealth $250,000 for the negligence of its data controllers.

The Personal Data Protection Commission (PDPC) has imposed financial penalties of $750,000 on Integrated Health Information Systems (IHiS) and $250,000 on Singapore Health Services (SingHealth) for breaching their data protection obligations which resulted in what is considered as Singapore’s largest cyber attack with the personal information of over 1.5 million patients being stolen.

PDPC’s investigation into the data breach found that IHiS had failed to take adequate security measures to protect the personal data in its possession, whilst SingHealth personnel handling security incidents failed to understand and take the necessary steps to grasp the significance of the information provided by IHiS.

“Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers,” PDPC said in a statement.

IHiS which is the central IT agency responsible for Singapore’s healthcare sector also sacked two managers, whilst imposing financial penalties on five members of its senior management including CEO Bruce Liang, over their negligence.

The financial penalties imposed on SingHealth and IHiS are said to be the highest ever imposed by PDPC to-date, after taking into account that the data breach was the largest the country had ever experienced, as well as the sensitive nature of the patients’ data.

PDPC also added that the penalties took into account the fact that both IHiS and SingHealth were cooperative throughout the investigation and took immediate remedial actions.