COI Report – Part IV
Page
159 of
425 (e) Whether data in the SCM database had in fact been accessed and f) Whether there was more than one instance of access to the SCM database.
495. Ernest has explained that despite the fact that access to the SCM database would have meant that patient data had been accessed (
i.e. item (e) above, the events of 4 July 2018 “
just aroused (his) suspicions” and “
still did not rise to the level of a reportable security incident”, as he had to obtained all other necessary information in (a) to (f) above.
496. As such, upon receiving Benjamin’s messages, Ernest did not agree that
the matter had to be escalated, and simply told Benjamin to “
continue to investigate and isolate”. This remained his view even after he found out more about the use of the AA. account and the second program.
26.9 Wee’s reasons for not reporting the incident 497. Wee was with Ernest when they spoke with Katherine and Vida (see section 26.7 (pg 157) above. Although he saw that the test
query had returned a record, and heard that the database table had “
something to do with medication”, Wee erroneously thought that the record did not contain any sensitive or up-to- date data, and assumed that the records that the SQL query was seeking to retrieve similarly would not return any sensitive data. He also heard from Katherine that
the second program was used, and this was not a tool that database administrators used.
498. Despite the above, Wee did not seek any clarifications from Benjamin on the matters raised in SCM Breach.pptx, or to take further steps to investigate or clarify what he saw as a “
potential breach”. Wee also did not did not make any suggestions to Ernest on the investigations.
499. In Wee’s view, if there had been a breach in the SCM, it would have been a Category 1
security incident, and he would have to report the incident to the
