33 THE
PUBLIC
ANNOUNCEMENT
AND
PATIENT
OUTREACH AND COMMUNICATIONS
33.1 The public announcement
624. After being notified of the Cyber Attack, SingHealth’s senior management, in consultation with MOH, IHiS, CSA, and MCI began making plans fora public announcement, and for patient outreach and communications.
625. SingHealth’s senior management recognised that SingHealth had an obligation to inform, in the shortest time reasonably possible, all patients who may have been affected by the Cyber Attack. At the same time, it was recognised that any announcement should not compromise ongoing forensic investigations, and that information should not leak out in an uncontrolled way that may cause public panic.
626. SingHealth’s senior management was also of the view that before a public announcement could be made, they had to first ensure that patient data was intact and secure, and to obtain more information about the attack, including the information that was accessed and whether there was any exfiltration. Such information was not available as at 10 July 2018, but would be necessary before concrete plans for the announcement and patient outreach and communications could be made, as they had to be able to address patients concerns and anxieties.
627. On 12 July 2018, Prof. Kenneth attended a meeting called by MOH. There was agreement at the meeting that more information was required before making a public announcement. In particular, the number of patients affected was still influx. Following this meeting, Prof. Kenneth started mobilising resources for
SingHealth’s patient outreach and communications plan by briefing SingHealth’s Communications Team on the outline of the Cyber Attack.
628. On 13 July 2018 at pm, Prof. Kenneth attended a meeting with MOH. At this meeting, IHiS confirmed that data had been exfiltrated and the type of data affected (a) 4,600 line items of dispensed medication records had been
|
