Cloud Hosting

SINGAPORE Fullerton Health Group, which runs at least 30 clinics here and many of the Covid-19 vaccination centres here at the height of the pandemic, has been fined $58,000 over a data leak in 2021 which exposed the personal details of patients and the employees of corporate clients.

The customer data it shared with a vendor was left exposed without password protection for months.

This led to the personal data of 133,866 patients and 23,034 employees of its corporate clients being leaked, including their NRIC numbers, contact details, bank account numbers and codes and health information, said the Personal Data Protection Commission (PDPC) in its case findings on Thursday.

Agape Connecting People, the vendor Fullerton Health hired to provide call centre and appointment booking services, was fined $10,000 for failing to secure the customer data entrusted to it by the healthcare group.

The data was found peddled on the Dark Web in late 2021, which prompted Fullerton Health and Agape to request investigations to be handled by the PDPC in January 2022.

The PDPCs written judgment found that Fullerton Health had worsened the situation by providing personal data to Agape that the vendor did not require. It had also lapsed in its responsibility of supervising the vendor.

As part of its social enterprise initiatives, Agape engaged inmates from the Changi Womens Prison to assist with the services on behalf of Fullerton Health, said the PDPC.

The group shared the personal data of its customers with Agape via Microsoft SharePoint, a cloud-based document management system, which could be accessed by only a computer issued to Agape by Fullerton Health.

As part of the procedure, customer data was downloaded from this computer to a separate online drive that was linked to the Internet. Only selected inmates could access the files.

The investigation found that while Agape conducted periodic security checks on its IT systems, it did not check the file server that stored data from Fullerton Health, which was a legacy feature unique to the partnership, and not implemented for Agapes other clients.

The password for the drive had also been disabled for about 20 months and there was also no expiry date set.

Agape admitted that this caused the online drive to become an open directory listing on the Internet with no password protection, and highly vulnerable to unauthorised access, modification and similar risks over an excessive period of time, said the PDPC.

It added that the cause of leaving the drive without a password could not be established.

The case came to light on Oct 15, 2021, when Fullerton Health realised its customer data had been sold on a Dark Web forum.

Its cyber-security consultants contacted the seller, who claimed that the data had been stolen from Agapes file servers. The Dark Web listing was removed by Oct 22 that year and the online drive was suspended.

More:
Fullerton Health, vendor fined $68k in total after data leaked for sale ... - The Straits Times