Employees fired and fined in SingHealth Data Breach which compromised private data of 1.5 million patients

• Two employees of Integrated Health Information Systems (IHiS) were fired for their role in SingHealth Data Breach.
• Five senior management executives including the CEO were fined with a financial penalty.

Two employees including a team lead in the Citrix Team and a Security Incident Response Manager were fired as they were found to be in non-compliance of orders, negligent, and responsible for the SingHealth data breach. Further, five senior management executives including the CEO of Integrated Health Information Systems (IHiS) were fined with a significant financial penalty.

The IT agency Integrated Health Information Systems (IHiS) was responsible for preventing the SingHealth data breach which ended up compromising over 1.5 million patients' private data. The Integrated Health Information Systems (IHiS) released a press release on January 14, 2019, that the IT agency is committed to improving the cyber defense in public healthcare.

IHiS said in the press release that the Committee of Inquiry (COI) proceedings into the SingHealth data breach have noted important findings of the threat actors in the evolving cybersecurity landscape, as well as many critical areas of improvement for IHiS. The IT agency said that it is carefully studying the findings and recommendations from the COI.

Employees Fired and Fined

IHiS Board of Directors have appointed a HR panel to review employees’ roles, responsibilities, actions involved and assess the appropriate HR actions to be taken. The HR panel examined the roles and responsibilities of the employees involved in the incident and submitted its recommendations to the IHiS board.

• Two employees a Team Lead in the Citrix Team and a Security Incident Response Manager were terminated.
• A significant financial penalty was imposed on 5 members of the IHiS senior management team, including the CEO, for their collective leadership responsibility.
• Two middle management supervisors, who were supervisors of the two employees terminated were fined with a moderate financial penalty.

“The CEO and management team have acknowledged their responsibilities and accepted the penalties. They have committed to leading IHiS to improve our cybersecurity defense and preparedness and rebuild public trust in our healthcare system,” the press release read.

“I would like to thank the HR Panel for their comprehensive evaluation and recommendations. The cyber attack has been a reminder of our need to be ever more vigilant and prepared for new cyber threats. Patient care will continue to be our priority. IHiS will learn from this incident, and work with the Ministry of Health and the healthcare clusters to implement the necessary changes that will help us emerge stronger from this,” Paul Chan, Chairman IHiS Board said.