In light of the recent conviction of a former UOB employee for leaking personal data of over 1,000 customers to scammers, it is imperative that we reinforce our frontline defenses, starting with our front desk and customer service teams.
I urge all staff to treat every request for patient information with the highest level of scrutiny. Social engineering tactics are becoming increasingly sophisticated, and a single lapse can compromise hundreds of lives and reputations.
What NOT to Do:
- Do not disclose patient details (name, NRIC, contact number, appointment time, diagnosis, etc.) over the phone without proper verification.
- Do not assume familiarity or urgency from the caller as proof of legitimacy.
- Do not rely solely on caller ID or internal references.
What TO Do Instead:
- Verify Caller Identity
- Ask for full name, NRIC/passport number, and registered contact number.
- Cross-check against system records before proceeding.
- Ask for full name, NRIC/passport number, and registered contact number.
- Use Callback Protocols
- If unsure, inform the caller you will return the call after verifying their identity.
- Use the official number listed in the system – not the one provided by the caller.
- Log Every Request
- Record the date, time, name of caller, purpose of call, and outcome.
- Flag any suspicious or repeated requests for review.
- Escalate When in Doubt
- If the request feels off, escalate to your supervisor or the Data Protection Officer (DPO) immediately.
- Never feel pressured to release information on the spot.
- Regular Training & Simulation
- Participate in quarterly refresher sessions on data protection and scam awareness.
- Engage in mock call drills to build confidence and consistency.