National Healthcare Group Pte Ltd fined SGD 6k

On 26/Dec/2019, National Healthcare Group Pte Ltd received a privacy fine of SGD 6,000. The enforcement authority (Personal Data Protection Commission) has cited these legal provisions in imposing the fine on National Healthcare Group Pte Ltd: PDPA2012/


Date of enforcement action:
Jurisdiction: Fine imposed:
Singapore Flag for Singapore, which is the jurisdiction taking enforcement action SGD 6,000 (US$4,400)
Defendant company or entity: Industry segment:
National Healthcare Group Pte Ltd Medical /

Case summary

The PDPC, in a recent decision (26/Dec/2019), imposed a financial penalty of $6,000 Singapore dollars (SGD) on National Healthcare Group for failing to put in place reasonable security arrangements to protect a list containing the personal data of partner doctors and members of the public from being publicly accessible online.

Internal security testing, performed by a contractor by means of a “penetration test”, identified the availability of the list online, in 2016. However apparently nothing was done to rectify this and the list was found on Google in 2018.

The list concerned 129 GPs, or doctors, and 5 other individuals.

“According to the Organisation, the vulnerability was inadvertently left unfixed as it was not sufficiently highlighted by the Vendor in the Penetration Test Report. This was an unsatisfactory excuse. First, the relevant findings and recommendations were the first item in the Penetration Test Report. Second, they were expressed in terms that no technical expertise was required for their significance to be understood. If the Organisation did not understand the findings and/o rrecommendations, it should have consulted the Vendor for clarifications.

The Organisation also asserted that it had relied on IT Services Provider and Website Developer to act on any issues identified in the Penetration Test Report. It should be reiterated that while an organisation may delegate work to vendors to comply with the PDPA, the organisation’s responsibility for complying with its statutory obligations under the PDPA may not be delegated. In this case, the Organisation failed to exercise reasonable oversight with respect to the review of the Penetration Test Report and rectification of the vulnerabilities of its Website.”

(PDPC Decision)

Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Personal Data Protection Commission Flag for Singapore, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Not known

Cite this fine in your work

Data Privacy Fines Index. (2019-12-26 05:07) National Healthcare Group Pte Ltd fined SGD 6k. Retrieved from

Entry last updated: 2020-01-13 05:31 GMT.