Cyber Incident Victim: HMI Institute of Health Sciences
Date:
Dec 2019
Location:
Singapore
Summary
A ransomware attack encrypted a file server at HMI Institute of Health Sciences, compromising personal data of over 120,000 individuals, predominantly Singapore Armed Forces personnel who attended training courses. The compromised information included full names, national identification numbers, birth dates, home addresses, and email addresses. The organization isolated the affected server, initiated forensic investigations, and asserted a low likelihood of data exfiltration despite the encryption. This incident occurred alongside a separate phishing-related breach at another vendor handling military personnel data, collectively exposing sensitive information and prompting broader reviews of vendor cybersecurity standards by Singaporean defense authorities. The breaches contributed to ongoing national concerns about systemic data protection vulnerabilities across public sector suppliers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On 4 December 2019, HMI Institute of Health Sciences discovered a ransomware attack that encrypted a file server containing personal data of over 120,000 individuals. The compromised information included full names, NRIC numbers, dates of birth, home addresses, and email addresses. Approximately 98,000 affected individuals were Singapore Armed Forces (SAF) servicemen who had attended Cardio Pulmonary Resuscitation (CPR) and Automated External Defibrillation (AED) courses provided by HMI Institute under a contract with MINDEF/SAF dating back to 2016. The institute immediately isolated the compromised server from the internet and internal networks upon detection. HMI engaged a cybersecurity firm to conduct forensic investigations, which determined the ransomware attack appeared random and opportunistic. Investigators found no evidence that data had been copied or exported from the affected server, leading HMI to assess a "low likelihood of a data leak" despite the encryption incident. Executive Director Tee Soo Kong publicly apologized to affected individuals and emphasized that preserving privacy and data security were top priorities. The institute implemented additional cybersecurity measures to strengthen defenses against sophisticated intrusions following the incident.
MINDEF/SAF confirmed the breach through an official statement on 21 December 2019, noting that while their own systems remained uncompromised, vendor cybersecurity failures potentially exposed personnel data. The ministry initiated notifications to affected SAF personnel starting from the disclosure date. Defence Cyber Chief Brigadier-General Mark Tan announced plans to review cybersecurity standards across all vendors handling military personnel data, incorporating security capabilities as a contract award criterion. HMI Institute and ST Logistics (another affected vendor) both reported the incidents to Singapore's Personal Data Protection Commission (PDPC) and the Singapore Computer Emergency Response Team (SingCERT), with PDPC investigations ongoing at the time of reporting. This breach occurred amid heightened national scrutiny of data security following multiple 2019 incidents, including unauthorized HIV registry disclosures and healthcare data exposures, which had prompted the Singapore government to establish the Public Sector Data Security Review Committee earlier that year. MINDEF concurrently engaged other vendors holding military personnel information to implement immediate security enhancements across their IT systems.