Anatomy of a Breach

Anatomy of a Breach: SingHealth — 1.5 Million Patients Including a Prime Minister Targeted by Nation-State Attackers

> series: anatomy_of_a_breach —— part: 115 —— target: singhealth —— patients: 1,500,000 —— vip_targeted: prime_minister_lee<span class="cursor-blink">_</span>_

Hedgehog Security 31 July 2018 12 min read
data-breach singhealth singapore healthcare apt nation-state prime-minister series
Breach #115

1.5 million patients. The Prime Minister's prescriptions. A nation-state wanted to know.

On 20 July 2018, Singapore's government disclosed that SingHealth — the country's largest public healthcare group — had been breached by a sophisticated threat actor. The personal data of approximately 1.5 million patients (names, NRIC numbers, addresses, gender, and dates of birth) and the outpatient prescription records of 160,000 patients were stolen. Prime Minister Lee Hsien Loong was among those whose prescription data was specifically targeted — his records were repeatedly and specifically accessed by the attackers.

The breach, attributed to a nation-state threat actor, had been active from approximately June to July 2018. The attackers exploited vulnerabilities in SingHealth's front-end workstations to gain initial access, then moved laterally through the network to reach the electronic medical records database. Singapore's Committee of Inquiry into the breach found multiple security failures including inadequate network segmentation, delayed incident response, and insufficient monitoring — the same failure patterns documented in healthcare breaches throughout this series from the NHS to Anthem.

Healthcare + Nation-State
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Medical records as intelligence targets.

VIP Targeting
The attackers specifically and repeatedly targeted the Prime Minister's prescription records — suggesting the objective was intelligence on a head of state's health, not mass data theft. For UK organisations providing healthcare to VIPs, senior officials, or military personnel, this precedent means patient data has intelligence value beyond its commercial worth. Our <a href="/blog/sector-under-the-microscope-healthcare">healthcare sector analysis</a> examines this elevated threat model.
Healthcare Under Sustained APT Attack
SingHealth joined <a href="/blog/anatomy-of-a-breach-anthem">Anthem</a>, <a href="/blog/anatomy-of-a-breach-premera-blue-cross">Premera</a>, the <a href="/blog/anatomy-of-a-breach-wannacry">NHS (WannaCry)</a>, and <a href="/blog/anatomy-of-a-breach-hollywood-presbyterian-ransomware">Hollywood Presbyterian</a> in the growing catalogue of healthcare organisations targeted by sophisticated adversaries. The sector holds uniquely sensitive data and operates uniquely vulnerable infrastructure.
Segmentation Failures — Again
The Committee of Inquiry found that inadequate network segmentation allowed attackers to move from front-end workstations to the EMR database. This is the same segmentation failure identified in the <a href="/blog/anatomy-of-a-breach-sony-psn">Sony PSN</a> (2011), <a href="/blog/anatomy-of-a-breach-target">Target</a> (2013), and <a href="/blog/anatomy-of-a-breach-wannacry">WannaCry</a> (2017) breaches. Our <a href="/penetration-testing/infrastructure">infrastructure testing</a> validates segmentation.
Monitoring and Response Delays
The breach was active for weeks before effective response. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> provides the continuous monitoring that detects lateral movement and anomalous database access — reducing dwell time from weeks to hours. <a href="https://www.cyber-defence.io/services/incident-response">UK Cyber Defence</a> provides the incident response capability for healthcare-specific breaches.
Lessons

Healthcare data has intelligence value. Defend accordingly.

The SingHealth breach proved that healthcare data is not just a target for financial criminals — it is a target for nation-state intelligence services seeking information about political leaders and government officials. For UK healthcare organisations, the threat model must account for both criminal and state-sponsored adversaries. Cyber Essentials provides the baseline. Penetration testing validates controls against sophisticated adversaries. SOC in a Box for Healthcare monitors continuously. And UK Cyber Defence's threat intelligence provides awareness of campaigns targeting the healthcare sector.

Healthcare APT Defence

A nation-state targeted the Prime Minister's medical records. What VIP data does your healthcare organisation hold?

<a href="/penetration-testing">Penetration testing</a> validates your healthcare security. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> monitors 24/7. <a href="/cyber-essentials">Cyber Essentials</a> provides the baseline.

Commission a Healthcare Assessment Next: T-Mobile US
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 March 2015

Anatomy of a Breach: Premera Blue Cross — 11 Million Records and the APT Campaign Against US Healthcare

Breach #075. In March 2015 — just weeks after the Anthem disclosure — Premera Blue Cross announced that attackers had gained access to its systems in May 2014 and stolen the personal and medical data of 11 million customers, including names, dates of birth, Social Security numbers, bank account information, and clinical information. The breach confirmed that the Anthem attack was not an isolated incident but part of a sustained campaign against the US healthcare sector.

data-breach premera
11 min read
Anatomy of a Breach 28 February 2015

Anatomy of a Breach: Anthem — 78.8 Million Health Records and the Largest Healthcare Breach in History

Breach #074. In February 2015, Anthem Inc. — the second-largest health insurer in the United States — disclosed that attackers had stolen the personal information of 78.8 million current and former members and employees. The stolen data included names, dates of birth, Social Security numbers, medical ID numbers, addresses, email addresses, and employment information. The breach was attributed to a Chinese state-sponsored group (Deep Panda/APT19) and was the largest healthcare data breach in history. Anthem ultimately paid $115 million in the largest data breach class action settlement at the time.

data-breach anthem
13 min read
Anatomy of a Breach 31 January 2010

Anatomy of a Breach: Operation Aurora — When China Hacked Google

Breach #013 in our Anatomy of a Breach series. In January 2010, Google disclosed that it had been the victim of a sophisticated cyberattack originating from China. Operation Aurora — named after a file path in the malware — targeted 34 companies including Adobe, Yahoo, Symantec, and Northrop Grumman, using an Internet Explorer zero-day to steal intellectual property and access the Gmail accounts of Chinese human rights activists. The attack that proved nation-state cyber espionage was no longer just a military concern.

data-breach operation-aurora
14 min read
All Posts Get in Touch