Hospitals hold some of the most sensitive information in the world and cybercriminals know it. As breaches rise, the healthcare sector faces a critical test: how to safeguard personal details under PDPA while staying ahead of increasingly desperate digital thieves. By K Dass.
In today’s digital-first healthcare environment, patient data has become the new gold. Electronic medical records, cloud-based portals, and remote access tools have revolutionized care delivery, but they have also created vulnerabilities that cybercriminals are eager to exploit. Unlike financial data, which can be quickly cancelled or replaced, medical records contain permanent details such as diagnoses, treatment histories, and personal identifiers—that can be sold for high value on the black market.
Rising Breaches in Healthcare
Singapore’s healthcare sector has already seen high-profile breaches. In 2018, Singapore’s worst cyberattack hit SingHealth, exposing the personal details of 1.5 million patients including outpatient prescription records of then Prime Minister Lee Hsien Loong. This breach underscored how hospitals are prime targets for hackers seeking sensitive medical data. More recent reports show healthcare breaches affecting tens of millions globally, with Asia increasingly in the spotlight.
In 2022, Farrer Park Hospital was fined S$58,000 after confidential medical information of nearly 2,000 patients was automatically forwarded to a third party over a two-year period. Such incidents highlight how lapses in email security or system oversight can expose thousands of individuals to identity theft and fraud.
Globally, healthcare breaches are escalating. Cybersecurity experts note that hospitals are particularly vulnerable because they often run on legacy IT systems, prioritize patient care over technical upgrades, and store vast amounts of sensitive data.
PDPA and the Compliance Challenge
Under Singapore’s Personal Data Protection Act (PDPA), healthcare organizations must implement “reasonable security arrangements” to protect patient data. They are also required to notify the Personal Data Protection Commission (PDPC) and affected individuals when breaches occur.
PDPA Emphasis
• Consent: Patients must agree to how their data is collected and used.
• Purpose Limitation: Data can only be used for the purposes stated at collection.
• Notification: Breaches must be reported promptly to regulators and patients.
Why Patient Data Is So Valuable
On the dark web, a single medical record can fetch 10 times more than a stolen credit card number often selling for $260–$310 compared to $30–$50 for financial data. This is because health records contain comprehensive personal details: identity, insurance, and medical history, which can be exploited for fraud or blackmail.
This data can be used for insurance fraud, blackmail, or even to create synthetic identities. Hence, healthcare providers are now investing heavily in cybersecurity measures such as:
• Encryption of medical records to prevent unauthorized access.
• Multi-factor authentication for staff logins.
• Regular audits and penetration testing to identify vulnerabilities.
• Staff training to reduce human error, which remains a leading cause of breaches.
Cybersecurity consultants warn that hospitals must treat data protection as a core part of patient safety. Just as infection control is non-negotiable in clinical care, digital hygiene must be non-negotiable in data management. The healthcare sector stands at a crossroads. Patient trust depends not only on medical expertise but also on the assurance that personal details are safe. As cybercriminals grow bolder, hospitals must recognize that protecting data is no longer just an IT issue, it is a matter of public health.
