Personal information of 800,000 blood donors left exposed online by vendor, says HSA

This is the fourth IT-related incident that has hit the Ministry of Health in Singapore in a span of about 9 months.
By Dean Koh
11:01 AM
Share

Above photo: The registration counter of the Bloodbank@HSA located in Outram, Singapore. Credit: HSA

The Health Sciences Authority (HSA), a statutory board under the Ministry of Health (MOH) in Singapore, said in a statement on March 15 that one of its vendors, Secur Solutions Group Pte Ltd (SSG), had failed to properly secure a HSA database against access over the Internet. The database contained registration-related information of 808,201 blood donors which includes name, NRIC number, number of blood donations, dates of the last three blood donations and in some instances, blood type, height and weight. According to the HSA, the database did not contain any other sensitive, medical or contact information.

A cybersecurity expert discovered the vulnerability on March 12 and alerted the Personal Data Protection Commission (PDPC) on the next day - HSA worked with SSG immediately to disable assess to the database. A police report has also been made by HSA and is in contact with the expert on deleting the information. Investigations are pending and preliminary findings indicate that other than the cybersecurity expert who raised the alert, there were no other unauthorised access to the database.

The information provided to SSG was placed on an unsecured database in an internet-facing server on January 4 this year and the vendor did not put in place adequate safeguards to prevent unauthorised access.

“We sincerely apologise to our blood donors for this lapse by our vendor. We would like to assure donors that HSA's centralised blood bank system is not affected. HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information,” said Dr Mimi Choong, CEO of HSA in a statement.

Including this latest case as reported by HSA, the Minstry had experienced four IT-related incidents since the SingHealth cyberattack which happened from June to July 2018. The other two incidents occured in January 2019 in which the confidential information of 14,200 HIV-positive individuals were leaked and last month, MOH said that a computer error had resulted in 7700 people receiving inaccurate CHAS healthcare subsidies.