The personal data of 1.5 million patients in Singapore has been hacked in the country’s largest cyber attack, the government announced last week. 160,000 of these patients, including Prime Minister Lee Hsien Loong, had their outpatient prescription data stolen as well.

The attackers had accessed and copied information such as names, identity card (IC) numbers, addresses, gender, race, and dates of birth. According to investigations by Integrated Health Information Systems, the data was stolen between 27 June and 4 July 2018.

They accessed the records by hacking into the networks of SingHealth, the country’s largest group of healthcare institutions. The 1.5 million records stolen were of patients who had visited SingHealth clinics or hospitals from 1 May 2015 to 4 July 2018.

According to a Ministry of Health statement, the attackers did not tamper with the stolen personal particulars and outpatient data, and did not access other types of records, such as diagnoses or test results.

Mr David Koh, chief executive of the Cyber Security Agency of Singapore, was quoted as saying that “this was a deliberate, targeted and well-planned cyber attack” and that “it was not the work of casual hackers or criminal gangs”.

The attack is likely to be state-sponsored, according to experts quoted by TODAYonline. The authorities have established who might be behind such an attack, but details have not yet been revealed. There are only a few countries in the world which display the level of sophistication shown during the attack, the report said.

All of Singapore’s Smart Nation plans have been paused in light of this attack. One such initiative is mandatory contribution to the National Electronic Health Record (NEHR) project, which allows the sharing of patient data among hospitals.

Singaporeans have expressed “shock and anger” that their personal data was stolen, according to local media, and in particular, are worried about their identity numbers being in the wrong hands. In Singapore, people commonly use their identity numbers as part of a digital identity system that connects to various government services.

“Such data can fetch a high price” on the Dark Web, said Leonard Kleinman, Senior Director of IT Security for the Australian Tax Office and cyber security advisor to security company RSA. “According to the 2017 Cost of Data Breach Study by Ponemone, a lost or stolen healthcare record fetches US$408,” he said.

Image from Changi General Hospital’s Facebook page