Singapore’s privacy watchdog has levied fines totaling over $1 million against those responsible for the massive 2018 SingHealth data breach. Last July, hackers infiltrated the databases of SingHealth, the largest group of healthcare institutions in Singapore. The hackers were able to exfiltrate the personal information of 1.5 million patients, including Prime Minister Lee Hsien Loong.

Prior to the incident, SingHealth had delegated its cyber security operations entirely to IT vendor Integrated Health Information Services (IHiS). The Committee of Inquiry (COI) has found both organizations guilty of failing to secure patient data, levying fines of $750,000 against IHiS and $250,000 against SingHealth."Even if organizations delegate work to vendors, organizations as data controllers must ultimately take responsibility for the personal data that they have collected from their customers," said the Personal Data Protection Commission.