The Ministry of Health’s (MOH) HealthHub portal was recently hit by unauthorised log-ins that affected 72 accounts.
After a user reported suspicions that her email account had been used to log in to the portal without her authorisation, the Health Promotion Board (HPB) and Integrated Health Information Systems (IHiS) began investigating cases of unusual log-ins.
According to their statement released on 18 October, investigations found that the number of attempted log-ins to HealthHub were higher than normal on 4 days; 28 September, 3 October, 8 October, and 9 October 2018.
These log-in attempts were made with over 27,000 unique email accounts, but 98% of the were unsuccessful as the email addresses used were not related to a HealthHub account.
In the 4 days, 72 accounts were successfully logged into without authorisation.
However, illegal access gained through these 72 accounts were only limited to the basic tier, including self-populated profiles and points accumulated by users for rewards.
HPB and IHis have said “no evidence of a breach in the HealthHub system has been found”.
Users’ personal medical data would not have been reached through the unauthorised log-ins, as it would require logging in with SingPass and a two-factor authentication.
HealthHub’s website and mobile app were shut down from 9 to 14 October 2018 for precautionary measure, and the 72 compromised accounts were locked.
The affected users were informed by HPB and advised on how they could unlock their accounts and reset their passwords.
HealthHub’s services online have seen been restored.