Undertaking by Methodist Welfare Services
Background
On 23 June 2022, Personal Data Protection Commission (the “Commission”) received a data breach notification from Methodist Welfare Services (the “Organisation”) informing that the servers belonging to its Bethany Nursing Home Choa Chu Kang was encrypted by a ransomware (the “Incident”). The cause of the ransomware attack could not be established as the Organisation had reformatted its servers to restore its business operations as soon as possible.
As a result of the Incident, the personal data of approximately 500 residents, including their names, addresses, NRIC numbers, date of birth, phone numbers, email addresses and vaccination records were encrypted and rendered inaccessible. Invoices that reflect the names and residential address of the residents’ family members were also affected.
The Commission found the Organisation to be lacklustre in its cybersecurity and data protection practices as it did not have relevant processes on IT security and did not provide any training for its employees on cybersecurity and data protection issues.
Remedial Actions
After the incident, the Organisation implemented the following remedial actions:
(a) Decommissioned its on-premises servers and migrated to a cloud-based server;
(b) Implemented appropriate technical measures to improve network security; and
(c) Issued reminders to educate its employees on cybersecurity best practices.
Voluntary Undertaking
Having considered the circumstances of the case, the Commission accepted a voluntary undertaking (the “Undertaking”) which was executed on 9 November 2022, from the Organisation to engage an external service provider to improve its cybersecurity set-up and its data protection practices and policies.
As part of the Undertaking, after the initial set-up, the external service provider will conduct two further reviews. The first review will be conducted 6 months after the initial set-up has been completed and the second review will be conducted one year after the first review. The reviews are to ensure, amongst others, that the latest software updates have been installed on the Organisation’s devices and systems.
The Commission will verify the Organisation’s compliance with the Undertaking. If the Organisation fails to comply with any terms of the Undertaking, the Commission may issue a direction so as to ensure the Organisation’s compliance with the Undertaking.