Indian-Origin Singapore Hospital Staff Fined for Illegally Accessing Patient Records

Incident at Singapore’s National University Hospital

A significant breach of trust occurred at Singapore’s National University Hospital (NUH) when a senior Indian-origin patient service associate was fined SGD 3,800. The individual, Pubaneswary Poobalan, aged 39, pleaded guilty to a charge of misusing a computer system by accessing a patient’s records without authorization.

Details of the Unauthorized Access

Pubaneswary Poobalan accessed the hospital’s SAP system, a crucial platform for managing healthcare operations such as maintaining patient records, scheduling appointments, and handling billing. While the system includes personal identification information, medical appointments, and billing data, it does not store patients’ medical histories.

Background and Motivation

Court documents revealed that Pubaneswary, a Singaporean who is no longer employed at NUH, received several anonymous letters at her residence between June and August 2023. The letters referenced an individual known as “the witness” in the court proceedings. Due to a gag order, further details about this individual’s identity and connection to Poobalan cannot be disclosed.

Poobalan suspected that a woman, referred to as “the victim” due to the gag order, was responsible for sending these letters. The victim was believed to have connections within the healthcare industry, possibly enabling her to obtain Poobalan’s home address.

The Unauthorized System Access

On October 23, 2023, while performing night duty at NUH, Poobalan accessed the SAP system. As a senior patient service associate, she had authorization to use the system for managing appointments and billing but was not permitted to access records of patients outside her responsibility. Despite this restriction, she searched for the victim’s records using the victim’s first name and date of birth, leading to four results, one of which belonged to the victim.

Deputy Public Prosecutor Samuel Chew stated, “The accused then accessed the victim’s records and video-recorded the victim’s NRIC number, full name, date of birth, address, and contact numbers.” Poobalan recorded her actions to demonstrate to the witness that the victim had the means to access her home address.

Investigation and Consequences

Following an online complaint from the victim on May 14, 2024, NUH launched an internal investigation. Poobalan admitted to unauthorized access of the victim’s records on the SAP system. The hospital promptly filed a police report and informed the Ministry of Health about the breach.

An NUH spokesperson stated, “We have taken immediate steps to request that the involved parties delete the relevant data in their possession. We deeply regret this incident.” The spokesperson emphasized the hospital’s commitment to safeguarding patient data and ensuring the confidentiality of patient information, declaring that any violation of this trust is intolerable.

Ongoing Commitment to Data Protection

The spokesperson assured that NUH will continue to implement proactive measures to protect patient data and educate staff on the critical importance of data protection. The incident serves as a reminder of the essential need to uphold data privacy and integrity within healthcare systems.