Singapore's privacy watchdog has meted out its largest fine of S$750,000 to Integrated Health Information Systems (IHiS) for lapses in securing patient data which resulted in the nation's worst data breach, The Business Times reports.
The cyber attack on SingHealth in June 2018 compromised the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.
Even though IHiS is the technology vendor for Singapore's healthcare sector, SingHealth also has to take responsibility as the owner of the patient database system - a point that the Personal Data Protection Commission (PDPC) stressed in dishing out penalties.
As such, SingHealth was fined S$250,000, the second largest here.
In a statement on Tuesday, the PDPC said: "Even if organisations delegate work to vendors, organisations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers."
Singapore's privacy watchdog also found the person handling security incidents involving SingHealth to be unfamiliar with the incident response process. He failed to take further steps to investigate and understand reports on suspicious activities, it noted.
The PDPC was referring to the key technology risk man at IHiS - cluster information security officer Wee Jia Huo - who was in charge of the SingHealth cluster.
In a public report issued last week by the Committee of Inquiry probing the cyber attack, Mr Wee was said to have displayed "an alarming lack of concern" when it was clear that a critical system had been potentially breached.
IHiS and SingHealth are wholly owned subsidiaries of MOH Holdings, the holding company through which the Singapore Government owns the corporatised institutions in the public healthcare sector.
It was reported on Monday that IHiS had fired two employees and redeployed its technology risk man. Mr Wee, whose job was to decide if upper management should be alerted about incidents, was demoted and redeployed to another role.
IHiS would also impose "significant financial penalty" on five members of its senior management team, including chief executive officer Bruce Liang.
Those found to be in breach of the Personal Data Protection Act in Singapore could be fined up to S$1 million. Karaoke bar chain K Box was among the first batch of organisations punished for breaking the law. It was fined S$50,000 over an incident in September 2014 that saw the data of 317,000 customers leaked.