Third-Party Information Breach Incident
Fullerton Health has been informed that there has been unauthorized access into a server used by our third-party service provider Agape CP Holdings Pte. Ltd. (AGAPE), who assists us in making bookings for appointments for our patients. We would like to assure you that none of Fullerton Health’s own IT systems and databases have been affected by this incident.
A batch of working files containing Fullerton Health’s customer personal data could potentially be exposed on AGAPE’s system as a result of this incident.
AGAPE has suspended use of their server with immediate effect and is working closely with us as part of the investigations.
Fullerton Health has notified the Personal Data Protection Commission and lodged a Police report.
We engaged a team of leading digital forensic and cybersecurity experts conduct investigations into this matter.
Our customers’ personal data is of utmost importance, and we have reached out to all affected customers
We continue to deliver all Fullerton Health services with no disruption.
Frequently Asked Questions
Following an intensive investigation by our IT department in consultation with leading digital forensic and cybersecurity experts, we have determined that unauthorized person(s) had gained access to a server used by Agape CP Holdings Pte. Ltd. (“AGAPE”), a third party service provider who assists us in making bookings for appointments for our patients.
We would like to assure you that none of Fullerton Health’s own IT systems and databases have been affected by this incident.
Customer personal data that might potentially be exposed includes names, NRIC or identity numbers and contact details. We would like to assure you that no credit card information or passwords were exposed.
A limited number of individuals potentially have health or bank-related data exposed, we have mentioned this specifically when we contacted them directly.
No data relating to Covid-19 vaccinations done at our Vaccination Centres was exposed or compromised as a result of this incident, since this is kept on a separate secure system and not shared with Agape.
- Fullerton Health has notified the Personal Data Protection Commission and the Police on the incident.
- We have promptly activated the incident management team to assess and contain the situation, and engaged a team of leading digital forensic and cybersecurity experts to investigate and provide technical advice.
- We took immediate action to confirm that there was no breach of Fullerton Health’s own IT network, systems and databases.
- We confirmed that AGAPE has suspended use of the affected server and tightened protocol on usage of customer data.
- We conducted a thorough review of our processes and protocols to ensure continual strengthening of our overall data security procedure.
- We contacted all affected companies and individuals to enable them to mitigate potential risks.
We recommend you take the following steps to guard against potential risks:
• Do not use your personal information as part of any of your passwords and change your passwords regularly.
• Set your passwords in a way that makes it very hard for people to associate with you (e.g., strong or complex password made up of alphanumeric characters and symbols).
• Stay vigilant against phishing attempts and monitor for any suspicious activity.
• Be wary of anyone contacting you requesting personal data or access credentials from you, even if they appear to know other details about you.
• Be careful of unsolicited telephone calls, emails or SMS messages which purport to be from a government authority or business, particularly those asking for your personal data.
• Never share your One-Time Password (OTP) with anyone, even your family members.
For those whose bank details may have been compromised, we recommend you take additional steps to prevent misuse of this information:
• Check for any fraudulent activities and transactions in your account.
• Inform the bank that your bank account details may have been compromised.
We would like to assure you that none of Fullerton Health’s own IT network, systems and databases have been affected by this incident.
We continue to deliver all Fullerton Health services with no disruption.
We conducted a thorough review of our processes and protocols relating to data security and the use of third party service providers to further strengthen our information security.
We have confirmed that there has been no compromise of Fullerton Health’s own IT network, systems and databases in this incident. We would like to further share that we have in place multiple layers of IT data security measures in line with industry best practices for cybersecurity and data security.
AGAPE has confirmed that they have suspended all use of the affected server.
The protection of our customers’ personal data is of utmost importance to Fullerton Health, and we are committed to continual strengthening of our IT and data security framework to ensure that personal data is secure with us.
Although there is no evidence to-date that customers’ data has been used inappropriately, Fullerton Health assisted to safeguard customer’s identity and personal information by offering six months of complimentary credit monitoring service through Credit Bureau Singapore.
My Credit Monitor service acts as your third eye to monitor your credit report, looks out for predetermined activities and notifies you through your preferred email or mobile number:
- If there are enquiries made by any lender for new credit facility
- When a search has been made on your own credit file
- Deteriorating account status assigned to any of your credit facilities
- New and updated status on default records, and litigation proceedings.
For further queries or clarifications, please contact pdpa@fullertonhealth.com