Update on the attempts to illegally access Health Promotion Board's (HPB) HealthHub accounts

Notice Paper No 1466
Notice of question for written answer

For the sitting of parliament on 14 Jan 2019

Name and constituency of Member of Parliament

Ms Joan Pereira
MP for Tanjong Pagar GRC 

Question No 1075

To ask the Minister for Health (a) whether he can provide an update on the attempts to illegally access Health Promotion Board's (HPB) HealthHub accounts in September and October 2018; (b) why are the hackers still able to attack the accounts despite remedial steps taken; and (c) how can users of the apps developed by HPB be assured that their identities are being kept safe.

Answer

The Health Promotion Board (HPB) and Integrated Health Information Systems (IHiS) investigated a case of unusually high number of attempts to log into HealthHub on four days within a short period (i.e. 28 September 2018, 3 October 2018, 8 October 2018 and 9 October 2018).  The investigation revealed that attempts were made with more than 27,000 email addresses.  98% of the email addresses used were not related to HealthHub account IDs, and these attempts were unsuccessful.  Nevertheless, 72 accounts were successfully accessed during the four days.

The high volume of email addresses not related to HealthHub account IDs and the repeated attempts suggest that the email addresses used were likely to have been obtained from other compromised sources.  No evidence of a breach in the HealthHub system has been found.

The unusual log-in attempts and access were limited to the basic tier of HealthHub, which contained the user’s self-populated profile and any Healthpoints accumulated through participation in HPB programmes.  Access to other e-services requires SingPass and 2-factor authentication, and were not affected.

As a precaution, access to all HealthHub mobile application and HealthHub website e-services were suspended from 9 to 14 October 2018.  The 72 HealthHub accounts of concern were locked, and HPB contacted each of the account holders to ascertain if the log-ins were legitimate and to alert them of the access to their accounts.  The investigation found that none of the accounts were adversely affected.  15 users had legitimately logged into their accounts, while two users suspected that their accounts were accessed without authorisation.  It was inconclusive as to whether the remaining 55 accounts were accessed without authorisation.  HPB provided all the 72 account holders with advice on how they could unlock their accounts and reset the passwords.

HPB has included a security advisory in HealthHub to remind users on the need to use strong passwords for their online accounts and to refrain from using the same password for different websites and applications.  In December 2018, further precautionary measures were also implemented, including (i) introducing an authentication at the point of login that protects against automated attacks by malicious bots; and (ii) introducing a One Time Password (OTP) for the redemption of Healthpoints.

IHiS and HPB have not detected further incidents of unusual log-ins since.  They will continue to strengthen their systems for better protection, monitoring and response to cyber threats.