​Prof Ivy Ng, Group CEO of SingHealth, said, "Our primary obligation is to our patients and we take our responsibility to protect their data very seriously.

We sincerely apologise to all our patients and accept the decision of the Personal Data Protection Commission (PDPC).

We are making changes to enhance our cybersecurity governance structures and improve management oversight of our critical systems. We are also working with IHiS to comprehensively upgrade our cyber defense systems and processes to more effectively guard against cybersecurity risks, as well as to respond in a timely and robust manner to any intrusion.

We are fully committed to learning and improving from this incident. We will embed cybersecurity consciousness into our daily operations and ensure that stringent measures are in place to safeguard our patients’ data."


Mr Peter Seah, Chairman of SingHealth, said, "Patient safety and data confidentiality are the foremost priorities in SingHealth as our patients entrust us with their care and data. The COI conducted a comprehensive review of factors which contributed to the attack. The Board accepts the findings of the COI and the decision of the Personal Data Protection Commission (PDPC), and will ensure that the recommendations are implemented.

As the owner of the data, we accept responsibility and apologise to our patients for the incident. The SingHealth senior leadership, including its Group CEO, has voluntarily accepted a financial penalty."