A former employee of the National University Hospital in Singapore has been charged for illegally accessing sensitive patient information.
Last year, the NUH filed a police report against Pubaneswary Poobalan, 39, after a complainant informed the hospital about its former senior patient service associate inappropriately accessing their record.
Based on a report by Straits Times, Poobalan video recorded herself accessing the hospital's business process platform to check the complainant's records.
Although she was permitted to access the platform as an employee to manage patient appointments and billings, she was not supposed to retrieve patient information beyond her scope.
For this, Poobalan was charged under the Computer Misuse Act 1993, which penalises unauthorised access and misuse of computer systems.
According to the Straits Times report, she pled guilty to the charge and was fined by the court SG$3,800 ($2,800) – an amount roughly worth a month's pay for an employee of her rank, based on the jobs website Glassdoor.
"We deeply regret this incident. Protecting and upholding the confidentiality of patient information is paramount to us, and we do not tolerate the violation of this trust," a NUH spokesperson told Healthcare IT News.
NUH had requested the individuals involved in the case to delete the relevant data in their possession – which, in this case, is the copy of the video.
"We will continue to take proactive measures to safeguard patient data and educate our staff on the critical importance of data protection. We are also committed to working with the relevant authorities to strengthen our practices and prevent similar incidents in the future," the spokesperson added.
THE LARGER CONTEXT
In recent years, the Singaporean government has laid out plans to help improve cybersecurity and privacy across health settings amid heightened attacks against healthcare, which remains among the top three targeted sectors in the country.
In 2021, the Ministry of Health issued the Healthcare Cybersecurity Essentials guidelines for healthcare providers to establish and constantly review their security safeguards, enforce new measures, and adopt best practices to secure their IT systems.
Cyber Security Agency of Singapore introduced in 2023 a voluntary scheme that incentivises medical device manufacturers adopting security-by-design in their products.
Meanwhile, the proposed Health Information Bill aims, among others, to set out cyber and data security requirements, including staff training and regular backups and updates.