STATEMENT ON CYBERSECURITY INCIDENT AT EYE & RETINA SURGEONS

The Ministry of Health (MOH) was informed on 16 August 2021 that Eye & Retina Surgeons (ERS), a specialist medical clinic, was the target of a ransomware attack on 6 August 2021. The incident affected its clinic server and clinic management system which managed more than 73,000 patients. The clinic’s compromised IT systems are not connected to MOH’s IT systems, such as the National Electronic Health Record, and there have been no similar cyberattacks on MOH’s IT systems.

2. ERS made a Police report on 13 August 2021. The incident was also reported to the Personal Data Protection Commission and Singapore Computer Emergency Response Team for further investigations. Upon notification, MOH had requested ERS to investigate the incident, carry out a thorough review of its systems and work with the Cyber Security Agency to take immediate mitigating actions to strengthen its cyber defence.

3. The Government takes a serious view of any cyberattack, illegal access of data or action that compromises the integrity, confidentiality and availability of data and IT systems in Singapore. Section 12(1) of the Private Hospitals and Medical Clinics Regulations states that licensees shall implement adequate safeguards (whether administrative, technical or physical) to protect medical records against accidental or unlawful loss, modification or destruction, or unauthorised access, disclosure, copying, use or modification, as well as to periodically monitor and evaluate such safeguards in place to ensure that they are effective and being complied with by the persons involved in handling medical records.

4. MOH had also issued a set of Healthcare Cybersecurity Essentials guidelines in August 2021 to remind all licensees to establish and constantly review their security safeguards, implement new measures as necessary and adopt best practices to secure their endpoints and IT systems. Following this incident, MOH will be reminding all its licensed healthcare institutions to remain vigilant, strengthen their cybersecurity posture, and ensure the security and integrity of their IT assets, systems, and patient data. It is only through the disciplined maintenance of a safe and secure data and IT system that healthcare professionals will be able to deliver accurate and appropriate care, and uphold patient safety.