At the Committee of Inquiry hearing last Thursday (Nov 1), the Singapore Ministry of Health and its appointed IT system contract pointed at fingers at each other blaming the other for the recent data breach, that led to the 1.5 million patients’ data being stolen in June. The CEO of the crony contractor, Integrated Health System (IHiS), was created by the former Chief Information Officer (CIO) at the Ministry of Health, Bruce Liang. The corrupted Health Ministry had given its CIO’s business lucrative government IT contracts while he was sitting concurrently as the CIO.
The government committee representing the Ministry of Health had earlier blamed the contractor for failing to report a breach incident, but IHiS refused to be a scapegoat. The senior manager from IHiS who first discovered the breach defended himself saying that he is not responsible for reporting security breaches and he does not want to work overtime relentlessly to patch the defect:
“Once we escalate to management, there will be no day and no night… everyone in IHiS will be working non-stop on this case…If I report the matter, what do I get? If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide to them. I avoided reporting the matter as soon as it occurred to me to report it, because the clock will start ticking.”
IHiS then hit back at the government ministry for failing to escalate the matter instead:
“Even if a cyber-security incident had occurred, he did not think that it would be his job to raise the alarm. This was because other personnel from IHiS’ senior management, such as the director for infrastructure services Serena Yong and Mr Clarence Kua, deputy director of the chief information officer’s office, would escalate it.”
The government committee however pushed the blame back to the contractor in the closing statement:
“While it may not be immediately clear if the incidents are deliberate”, the actions should have become “clearer” over the course of investigations between June 12 and 26. As such, they should have been classified as a security incident before June 26.”
Health Minister Gan Kim Yong has avoided commenting on the corruption scandal. There has been no accountability from the minister who went under the radar after appointing a committee to handle the data breach.