Illegal Access to Health Promotion Board's HealthHub Accounts in September and October 2018
Ministry of HealthSpeakers
Summary
This question concerns illegal access attempts to Health Promotion Board’s (HPB) HealthHub accounts in September and October 2018, as raised by Ms Joan Pereira. Minister for Health Gan Kim Yong reported that 72 accounts were accessed using email addresses likely obtained from other compromised sources, though no system breach was found. The Minister clarified that unauthorized access was limited to basic user profiles and Healthpoints, while services requiring SingPass and two-factor authentication remained secure. Following a temporary service suspension, HPB introduced security enhancements such as automated bot protection at login and One-Time Passwords for Healthpoints redemption. Minister for Health Gan Kim Yong stated that further incidents have not been detected and both HPB and IHiS will continue to strengthen system monitoring and cyber defenses.
Transcript
12 Ms Joan Pereira asked the Minister for Health (a) whether he can provide an update on the attempts to illegally access Health Promotion Board's (HPB) HealthHub accounts in September and October 2018; (b) why are the hackers still able to attack the accounts despite remedial steps taken; and (c) how can users of the apps developed by HPB be assured that their identities are being kept safe.
Mr Gan Kim Yong: The Health Promotion Board (HPB) and Integrated Health Information Systems (IHiS) investigated a case of unusually high number of attempts to log into HealthHub on four days within a short period (that is, 28 September 2018, 3 October 2018, 8 October 2018 and 9 October 2018). The investigation revealed that attempts were made with more than 27,000 email addresses. 98% of the email addresses used were not related to HealthHub account IDs, and these attempts were unsuccessful. Nevertheless, 72 accounts were successfully accessed during the four days.
The high volume of email addresses not related to HealthHub account IDs and the repeated attempts suggest that the email addresses used were likely to have been obtained from other compromised sources. No evidence of a breach in the HealthHub system has been found.
The unusual log-in attempts and access were limited to the basic tier of HealthHub, which contained the user's self-populated profile and any Healthpoints accumulated through participation in HPB programmes. Access to other e-services requires SingPass and 2-factor authentication, and were not affected.
As a precaution, access to all HealthHub mobile application and HealthHub website e-services were suspended from 9 to 14 October 2018. The 72 HealthHub accounts of concern were locked, and HPB contacted each of the account holders to ascertain if the log-ins were legitimate and to alert them of the access to their accounts. The investigation found that none of the accounts were adversely affected. 15 users had legitimately logged into their accounts, while two users suspected that their accounts were accessed without authorisation. It was inconclusive as to whether the remaining 55 accounts were accessed without authorisation. HPB provided all the 72 account holders with advice on how they could unlock their accounts and reset the passwords.
HPB has included a security advisory in HealthHub to remind users on the need to use strong passwords for their online accounts and to refrain from using the same password for different websites and applications. In December 2018, further precautionary measures were also implemented, including (i) introducing an authentication at the point of login that protects against automated attacks by malicious bots; and (ii) introducing a One Time Password (OTP) for the redemption of Healthpoints.
IHiS and HPB have not detected further incidents of unusual log-ins since. They will continue to strengthen their systems for better protection, monitoring and response to cyber threats.