Hospital data breach exposes systemic vulnerabilities and highlights need for stronger safeguards

A routine internal review at a major Singapore hospital uncovered a personal misuse of sensitive patient data, revealing how easily trust can be broken inside critical healthcare systems.

A Misuse of Trust Inside a Major Hospital
Norkamelia Osman, a 34-year-old customer service associate deployed to the National University Hospital, was fined 5,000 dollars on December 1 after she admitted to accessing confidential patient information without authorisation. Her actions violated the Computer Misuse Act, and the court took one additional similar charge into consideration.

How She Gained Access to Sensitive Information
Norkamelia previously worked at Ng Teng Fong General Hospital before moving to NUH in 2022. In her role, she had access to the Epic system, a critical software platform used across healthcare institutions to manage patient records, appointments, and billing. While she was authorised to use the system for her job, she was not allowed to view the records of individuals outside her assigned duties.

Investigation Triggered by a Disturbing Online Exchange
The case began unraveling in July 2023 when NUH received an anonymous tip-off from a woman at a different medical institution. The woman revealed that Norkamelia had contacted her on Instagram and later WhatsApp, asking about her work and her child’s health details. Shocked at how Norkamelia knew information she had never shared, the woman reported the incident.

MOH Review Confirms Unauthorized Access
The Ministry of Health conducted an internal investigation, which concluded that Norkamelia had used the Epic system to look up details of the woman and her child. A police report was subsequently filed in May 2024 after the ministry completed its review.

Motivation Behind the Repeated Data Breaches
During questioning, Norkamelia admitted that she had accessed the records because she wanted to reconnect with the woman, with whom she had lost contact during the pandemic. Prosecutors highlighted this as a serious breach of trust, noting that her actions left the victim disconcerted.

223 Unauthorised Accesses Across 11 Patients
Between July 1 and December 31, 2022, Norkamelia accessed the Epic system 223 times to view records of 11 individuals who were not under her care. The list included her own family members, a former boss, and several ex-colleagues, showing a consistent pattern of misuse rather than a single lapse.

The incident underscores the ongoing challenge of protecting sensitive patient data in an increasingly digital healthcare landscape. Both Indonesians and Singaporeans rely on strong medical systems, and breaches like this highlight why continued investment in cybersecurity training, system alerts, and access controls is crucial to maintain public confidence and safeguard personal information.

Sources: Straits Time (2025)

Keywords: NUH Case, Data Breach Singapore, Patient Records Access, Healthcare Privacy, EPIC System