The Personal Data Protection Commission ('PDPC') published, on 18 November 2022, its decision in Case No. DP-2007-B66646, in which it imposed a fine of SGD 58,000 (approx. €40,419) on Farrer Park Hospital Pte. Ltd., for violations of Section 24 of the Personal Data Protection Act (No. 26 of 2012) ('PDPA'), following a data breach.

Background to the decision

In particular, the PDPC highlighted that it received a data breach notification from Farrer Park Hospital, that around 9,271 internal emails had been forwarded from two employee accounts to third-party email addresses, thereby disclosing the personal data of 3,539 individuals.

Findings of the PDPC

Following its investigation, the PDPC noted that of the 9,271 emails forwarded to third parties, the personal data of 3,539 individuals was disclosed, including the medical information of 1,923 individuals. Further, the PDPC detailed that, although Farrer Park Hospital implemented remedial measures in the wake of the incident, the PDPC held that Farrer Park Hospital failed to implement reasonable security arrangements to protect personal information in email accounts. Likewise, the PDPC found that, considering the volume of sensitive medical information processed through email accounts, Farrer Park Hospital should have implemented stronger security arrangements. Accordingly, the PDPC established that Farrer Park Hospital violated Section 24 of the PDPA.

Outcomes

As a result, the PDPC imposed the aforementioned fine for the violation of Section 24 of the PDPA, taking into account the late admission of responsibility and the large volume of the sensitive personal information affected.

You can read the announcement here and the decision here.