Singapore: PDPC fines healthcare companies a combined SGD 68,000 for inadequate security measures
The Personal Data Protection Commission (PDPC) published, on June 22, 2023, its decision in Case No. DP-2110-B9060, in which it imposed a fine of SGD 58,400 (approx. €39,500) and SGD 10,000 (approx. €6,810) on Fullerton Healthcare Group Pte. Ltd. (FHG) and Agape, Connecting People Pte Ltd respectively, for violations of the Personal Data Protection Act 2012 (No. 26 of 2012) (PDPA), following a data breach notification.
Background to the decision
In particular, the PDPC highlighted that it received notifications from both FHG and Agape in October 2021, that the personal data of FHG customers had been accessed, exfiltrated, and offered for sale on the dark web. The PDPC clarified that FHG engaged Agape to provide services for FHG's customers, that FHG provided Agape with access to the personal data of its customers via Microsoft SharePoint, and that a single Agape personal computer was authorized to access FHG's SharePoint platform.
Findings of the PDPC
Following its investigation, the PDPC found that the personal data of 156,900 individuals was accessed, namely 133,866 patients of FHG and 23,034 employees of FHG's corporate clients. The personal data accessed included name, date of birth, gender, email address, telephone number, financial information, health information, as well the passport numbers of employees. Accordingly, both FHG and Agape were found to have failed to implement reasonable security arrangements to protect the personal data accessed and exfiltrated, in violation of Section 24 of the PDPA. More specifically, Agape, as an intermediary, was also found to have breached the protection obligation in relation to customer data, in violation of Section 4(2) of the PDPA.
The PDPC imposed the aforementioned fines for the violations of the PDPA, taking into account FHG's and Agape's remedial actions and that they were cooperative during the investigation.
In addition, the PDPC imposed corrective actions requiring FHG to:
- review processes and contractual obligations with Agape and existing vendors processing personal data on behalf of FHG; and
- review existing internal processes to ensure that only personal data necessary for fulfilling contractual obligations are disclosed to vendors via secured channels and with reasonable access controls considering the type and volume of personal data being disclosed.
Likewise, the PDPC imposed corrective actions requiring Agape to:
- ensure that the scope of its periodic security reviews and any security audits include the protection of personal data handled in all of Agape's systems and processes; and
- resolve and record in writing with FHG the data protection requirements and job specifications for the processing of personal data on behalf of FHG.