Transforming the healthcare delivery system with data
Mr Speaker, the Health Information Bill is transformative in the way it will set the legal framework for the mandatory contribution, collection, storage, and disclosure of health information across the entire healthcare ecosystem of Singapore. When passed, fragmented and often paper-based health records held by individual healthcare providers will be a thing of the past, morphing into a unified, interoperable National Electronic Health Record (NEHR). This is not merely a technological upgrade; the Bill promises smoother, safer, more efficient healthcare for all patients under our country’s health system. Given Singapore's rapidly ageing population, the successful implementation of the NEHR is critical to ensuring seamless care continuity across different healthcare institutions.
Trade-offs may test people’s trust
However, these benefits come with trade‑offs which if not properly addressed, will affect the people’s trust in this national Smart Nation effort. Afterall, nothing could be more sensitive and personal than one’s health information and records over the years. The thought of such intimate human data being viewed by nameless, faceless persons other than your own doctors, or even worse, falling into the hands of hackers, must be very real to a lot of us when we contemplate the HIB. Thus, while I support this Bill, I wish to raise a few concerns posed by HIB. I will also be speaking on the challenges for smaller healthcare operators such as single- or duo-doctor/practitioner clinics that many of my residents rely on for their daily medical needs.
Higher cyber and privacy risks within a centralised digital system
Sir, we must first recognise that the centralization of health data across all healthcare providers - from the very small to the very large - introduces significant privacy and cybersecurity risks across the entire eco-system.
Even with strict regulations and legal governance frameworks, there has been documented cases of unauthorized access, as well as outright hacks.
It is public knowledge that some of the most egregious data breaches in the past 10 years have happened within healthcare.
Chief among them was the 2018 hack of Singhealth’s system that led to a Committee of Inquiry and also the delay of the NEHR roll-out by more than five years.
The personal particulars of 1.5 million SingHealth patients, including of then Prime Minister Lee Hsien Loong and records of outpatient dispensed medicines belonging to 160,000 patients were stolen.
Till today, the unidentified hostile state actors behind that attack remain unaccounted for.
More recently, there have been at least two reported cases of unauthorised access by healthcare professionals.
For instance, a neurosurgeon at SingHealth was dismissed in 2022 for inappropriately accessing the medical records of over 70 patients not under his care.
More recently, in 2025, a customer service associate at National University Hospital (NUH) was found to have unlawfully accessed the records of 11 individuals—including family members and former colleagues—via NUHS’ internal EPIC system, reportedly driven by personal motives to reconnect with one of them.
While the overwhelming majority of healthcare professionals uphold ethical and legal standards, the ease of access to such records severely undermines public trust.
Many of us may be asking - how can I be sure that the GP clinic at the next block to mine with only one-and-a-half doctors and two clinic staff on shifts be able to comply with the HIB and also be itself protected against cyber and data risks created by either human or system errors?
The NEHR is only as secure as the smallest operators are
While the Health Information Bill's stringent requirements are essential for safeguarding patient data and access, they place a significant burden on smaller healthcare providers who may no longer opt-out of contribution to NEHR.
Under Part 2 Division 2, failing to comply will lead to a fine not exceeding $20,000 or to imprisonment for a term not exceeding 12 months or to both. In the case of a continuing offence after conviction, a daily fine of $1,000 applies.
Large institutions like Singhealth and National Health may mobilise their dedicated IT teams. Small practices however will find themselves in unfamiliar territory and will have to rely on costly external consultants to comply, creating a significant operational burden.
On an on-going basis, the challenge is particularly acute when it comes to warding off attacks and data breaches. Under the law, healthcare providers of all sizes share legal liability for data breaches caused by Health Data Intermediaries’ failures—placing a disproportionate burden on clinics that lack control over these risks.
Although the GP IT Enablement Grant offers one-time subsidies for adopting NEHR-compatible systems, they do not cover the ongoing costs of maintaining cybersecurity compliance.
Small healthcare operators may be out of pocket for purposes of upgrading and maintaining their Clinic Management Systems to meet strict security standards, audit trails, and data portability.
Even with this grant, GPs are simply not trained to assess whether their providers use genuine end-to-end encryption, secure server configurations, or follow basic cybersecurity best practices. How can we help clinics to use appropriately secure, yet affordable compliant systems? How can we ensure that essential cyber-hygiene practices like staff training and regular software updates are undertaken without imposing disproportionate costs burden and or adding to existing pressures of running their practices?
We should also be concerned whether this leads to GPs passing the costs down to patients, and reducing affordability in primary care? How will MOH ensure that such costs will not be passed down to patients?
How will it affect our “Mom and Pop” clinics and family doctors?
Mr Speaker, many family doctors are people who are located near to our homes, convenient for us to visit when trouble hits, and who have known us and our family members for years if not decades. They are an important part of keeping us safe and healthy.
With the CHAS and Healthier SG schemes, they have become more integrated into the overall health delivery infrastructure nation-wide. However, they are often by nature very small, akin to “mom and pop” clinics.
Often fronted by one doctor with say another doctor on a locum basis or just one doctor. They open only part of the day. Some may not even have air-conditioning. And some may still use paper records.
Furthermore, the doctors are older, serving their patients past the official retirement age, which makes them well loved and trusted.
I do wonder whether the passing of HIB, with punitive costs for non-participation and compliance, may be the straw that breaks this group and pushes them to give up their practices for good. I certainly hope not.
Even if they are in the minority, we should be concerned about conveniently located medical services disappearing from our neighbourhoods at exactly the point when Singapore is becoming a super-aged society that needs more care, not less.
A volunteer shared with me recently her worries for her 87 year old mother who lives in her own flat and is under the trusted care of a family doctor a few walkable blocks away.
This doctor runs a solo practice in a void deck shop without aircon. He only opens a few hours a day, but this suits the elderly patients that he mostly serves.
Now, if this doctor is forced to close due to implementation of HIB, my volunteer is worried that her mother will no longer have convenient access to care.
It will be stressful for this volunteer as a daughter living away from her mother whenever her mother falls ill, needs to top up her medicines or take a vaccination.
Whereas currently, she trusts her mom to visit this doctor and her troubles will be sorted.
Mr Speaker, I hope MOH will provide the necessary assistance to all small clinics and practices so that the burden of HIB and NEHR may not be so overwhelming for these doctors such that they would prefer to close their practices instead.
Extend financial support beyond GP IT Enablement Grant and set up IT Share Services Office
Given the challenges I have highlighted above, will the Minister consider giving a grant for small clinics or practices with, say, fewer than three full-time practitioners, to assist the clinic or doctors in their on-going compliance with the HIB’s cyber and data standards and practices?
This may be an extension of the GP IT Enablement Grant, but targeted towards the smaller operators, rather than the chain clinics.
Going beyond financial support is also important, they need IT technicians to help them directly when issues arise.
They also need a dedicated helpdesk. To address this, could the Minister consider setting up an IT Shared Services Office within the Ministry that may provide small clinics with, not a one-off, but a continuing outsourced, cost effective and compliant IT support, acting in lieu of the dedicated IT department of large healthcare institutions?
Besides my suggestion above, I would also urge MOH to consider setting up a similar initiative to support all clinics and practices like the Shared Services initiative for Charities where the Commissioner of Charities has partnered with various organisations to set up shared services to strengthen charities’ regulatory compliance and efficiency of their back-end operations
These are not nice to have, they are imperative. This Bill changes the rules of the game. It mandates that every private clinic—from the specialist in Orchard to the void deck GP in the heartlands—must contribute their data. They have no choice, if they wish to stay open. But if MOH were to demand institution-grade security against risks and breaches on a solo operator’s budget, it may not just be unfair, it may even be unsustainable.
Compliance with the HIB cannot be a one-size-fits-all assignment. More must be done to help onboard small clinics and family doctors at the same level of standards and readiness as large institutions. Let us not make the small clinics the weakest link of the system. They should also be the trusted, mission critical partners worthy of a Smart Nation. But not at the expense of experienced GPs shutting down practices in the heartlands.
Change the calculus when it comes to penalties
Mr Deputy Speaker, in the final part of my speech, I will touch on the penalty regime under HIB.
I have spoken about the Singhealth data breach of 2018. The Personal Data Protection Commission (PDPC) fined SingHealth S$250,000 and its IT vendor Integrated Health Information Systems (IHiS) S$750,000, totaling S$1 million for failing to protect 1.5 million patients' data.
Section 66 of the HIB states a fine not exceeding S$1 million for organisations that fail in data security and handling of health and relevant information.
While the figure of S$1 million appears substantial in isolation, it pales when contextualized against the scale of modern healthcare data breaches such as the Singhealth one in 2018.
Let’s do the math. 1.5 million Singhealth records were leaked in 2018. The total fine of $1 million equates to an effective fine per record of 66 Singapore cents. We may wish to review whether this is the value we wish to place on the privacy of our citizens.
Furthermore, for a large healthcare conglomerate with annual revenues in the hundreds of millions, a $1 million fine may be a relatively lesser or even trivial operating expense. It is roughly equivalent to the cost of a few high-end medical devices. It is hardly a pain point, even less a serious business risk to the large hospital groups.
Instead, the $1 million cap effectively puts a ceiling on the "value" of the collective privacy of the nation, regardless of the number of persons affected.
Let us compare this with global standards that have successfully shifted corporate behavior. First, the EU’s General Data Protection Regulation (GDPR) imposes administrative fines up to €20 Million or 4% of total worldwide annual turnover, whichever is higher. The "4% turnover" clause is the main deterrent. For a tech giant or a global hospital chain, this could amount to hundreds of millions or billions of dollars. This scales the penalty to the size of the entity, ensuring that the fine is never just a "cost of doing business."
Another is the California Consumer Privacy Act (CCPA) which allows for a private right of action (class action lawsuits) with statutory damages between $100 and $750 USD per consumer per incident. This directly monetizes the harm to the individual. It creates a mathematical certainty of catastrophe for negligence. If this is applied to the Singhealth case of 1.5 million victims, we will be looking at a payout of between S$200 million to $1.5 Billion. The penalty may better match the pain of the victims. More importantly it will make organizations take the message more seriously.
Mr Speaker, on one hand, some of us may think that the penalty regimes in EU or in California may be a tad too high or some will argue that there may be eventual costs impact on consumers. On the other hand, some may argue that they can better match the pain of the victims. We can and we should review and decide where the balance may better lie for Singapore, but it is important that our regime must ultimately make all organizations take the message more seriously.
If we were to introduce, say, a per person fine similar to the approach in California, just for illustration purposes, we must of course discuss robustly before any decision is made, how much this fine should be and the premises for arriving at the quantum.
Say, for illustrative purposes, we peg the fine per person’s records to what we have to pay to acquire people’s personal information from ACRA Bizfile where per report or certificate is charged at $33 to $50 each. This method scales automatically. A small clinic losing 50 records pays $1,650 to $2,500—painful but survivable. This shifts the calculus. It forces senior management and Boards of Directors to view cybersecurity not as an IT cost, but as an existential business risk. It signals that the state values each individual's privacy. It moves away from the abstract notion of "system security" to the concrete value of "personal data." This is how we can build a system that is robust at the outset, that has the trust of every contributor.
We can start looking numerically at what would be a good balance for Singapore, or at least a better balance than what we have now and which, pertinently, will make all organizations take the message more seriously while being fair and equitable for bigger medical organizations as well as smaller clinics and practices.
Mr Speaker, in closing, notwithstanding the concerns I have raised, I support the Bill.
