Personal information of more than 800,000 blood donors exposed online by tech vendor: HSA

Personal information of more than 800,000 blood donors exposed online by tech vendor: HSA

blood donors Singapore
File photo of a blood donor in Singapore. 

SINGAPORE: The personal information of 808,201 blood donors in Singapore was left exposed on the Internet for a period of nine weeks from Jan 4, after the data was mishandled by a vendor of the Health Sciences Authority (HSA). 

The information, which included names and NRIC numbers, was only secured on Wednesday (Mar 13) after a cybersecurity expert discovered the vulnerability and alerted authorities. 

Preliminary investigations by HSA showed that other than the expert who flagged the vulnerability, no other unauthorised person had accessed the database online.

“The expert has confirmed to HSA that he does not intend to disclose the contents of the database,” it said. “HSA is in contact with the expert on deleting the information.”

Explaining the incident on Friday, HSA said the vendor, Secur Solutions Group, had been given a copy of all HSA's blood donor records for updating, as some donors who had used the self-help kiosks said that their personal information was not up to date. 

The tech vendor then placed the information on an unsecured database that was connected to the Internet on Jan 4 this year, and failed to put in place adequate safeguards to prevent unauthorised access, HSA said in a media release.

Information on the database included names, NRIC numbers, gender, number of blood donations, dates of the last three blood donations and, in some cases, blood type, height and weight. 

"The database contained no other sensitive, medical or contact information," said HSA. 

The vendor's decision to put the donor data on an Internet-facing, unsecured database was done without HSA's knowledge and approval, the agency said.

On Mar 13 at 9.13am, HSA was informed by the Personal Data Protection Commission (PDPC) that a cybersecurity expert had alerted them to the database vulnerability. HSA then contacted Secur Solutions at 9.35am to remove the unsecured database from the Internet, and it was fully secured at 10am, it said. 

Preliminary investigations by HSA showed that its centralised blood bank systems were not affected. The agency added that it has made a police report. 

HSA CEO Mimi Choong apologised to blood donors over the lapse by its vendor.

"We would like to assure donors that HSA's centralised blood bank system is not affected," she said.

"HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information."

An HSA spokesperson also told Channel NewsAsia it is considering available legal options, including "termination of the vendor's services". 

This is the fourth IT-related incident to have hit the Health Ministry in the past nine months, including the SingHealth cyberattack last June that saw the health records of 1.5 million Singaporeans stolen. 

In a separate media release on Friday, Secur Solutions Group said it is conducting a thorough review of its IT systems. 

“The affected server was immediately secured upon notification of the unauthorised access," said a spokesperson. "We have engaged external cybersecurity professionals, KPMG in Singapore, and initiated a thorough review of our IT systems. We are working closely with HSA and other authorities in continuing investigations.”

Singapore Red Cross CEO Benjamin William said in a press release it is "unfortunate" the personal information of blood donors has been compromised.

"I would like to assure our blood donors that, together with our partner HSA, safeguarding the confidentiality of donor information is our utmost priority," Mr William said.

Dr Choong made a similar request for blood donors not to stop giving blood.

She said: "I deeply appreciate the 1.84 per cent of our population who are blood donors, and have provided valuable support for the national blood programme through these years.

"We value their contributions and sincerely hope the improper handling of the registration-related information by our vendor does not deter them from continuing their donations."

Source: CNA/gs

Bookmark