SINGAPORE – The personal information of more than 800,000 people who have donated or registered to donate blood in Singapore since 1986 was improperly put online by a Health Sciences Authority (HSA) vendor for more than two months, but access to the database was cut off soon after the discovery.
Disclosing this in a statement on Friday (March 15), the HSA said its preliminary findings indicate that there was only one instance of external access – by a cybersecurity expert who discovered the vulnerability on Tuesday (March 12) and alerted the Personal Data Protection Commission to it a day later.
At 9.13am on Wednesday (March 13), the Commission informed the HSA, which is in charge of the national blood bank, of the breach.
At 9.35am, the HSA then contacted the vendor working on the database, Secur Solutions Group, and instructed it to disable access to the information.
At 10am, the database was fully secured and no further unauthorised access was possible, HSA said.
It immediately took steps to verify that no sensitive medical or contact information was contained in the database.
“I am really deeply sorry for this lapse on the part of our vendor,” said HSA chief executive Mimi Choong.
“Blood donors have provided invaluable support for our national blood programme through all these years; we really appreciate their contributions,” she added. “Rest assured that the confidentiality of their information given to us is our utmost priority and we really hope our donors will continue to trust in us and do the right thing.”
Dr Choong also reassured donors that HSA’s centralised blood bank system, which is separated from the Internet and secured, is not affected.
A spokesman for Secur Solutions Group said the affected server “was immediately secured upon notification of the unauthorised access”.
“We have engaged external cybersecurity professionals, KPMG in Singapore, and initiated a thorough review of our IT systems. We are working closely with HSA and other authorities in continuing investigations,” he added.
HSA has made a police report about the breach.
The foreign cybersecurity expert, who is based overseas and was not identified, has said he does not intend to disclose the database, the HSA said.
The database contained registration information such as the donor’s name, NRIC number, gender, number of blood donations and the dates of their last three blood donations. Some donors’ blood type, height and weight were also included in the database, HSA said.
The information is used at the blood banks to ensure that donors’ appointment and registration at the blood banks are seamless and efficient, it added.
The data was provided to the vendor for updating HSA’s Westgate Tower and Woodlands blood banks’ databases and testing purposes after some donors said their data was outdated.
It was placed on a server accessible through the Internet on Jan 4 without adequate safeguards to prevent unauthorised access. This was done without HSA’s knowledge and approval, and was against the vendor’s contractual obligations, HSA said, adding that the database was only accessible through a database client and not through a Web browser.
HSA added that the cybersecurity consultant who accessed the data has told them he does not intend to disclose it and is working with the agency to delete the information.
HSA could not disclose details of the consultant’s identity.
And while it is still working with the vendor, HSA is considering available legal options including termination of the vendor’s services.
The agency is also working with its other vendors to ensure that the rest of its data is secure.
The latest incident is the third healthcare-related IT incident to make the news in as many months.
In January, the Ministry of Health revealed that the confidential information of 14,200 HIV-positive individuals had been leaked online by an American, Mikhy Farrera-Brochez.
And last month, the ministry said that a computer error had resulted in 7,700 people receiving inaccurate healthcare subsidies when they applied for and renewed their Community Health Assist Scheme (Chas) cards in September and October last year.
Mr Movin Nyanasengeran, who has been donating blood regularly for eight years, said: “I would have thought that the authorities handling personal data would be much more cautious after the HIV registry data leak. Luckily, most of the data is not sensitive, besides the NRIC numbers.”
The 27-year-old ecology research assistant added that he hoped the incident would serve as another wake-up call on the importance of data protection.
Dr Choong said that HSA will also step up checks and monitoring of its vendors to ensure the safe and proper use of blood donor information.
Mr Benjamin William, chief executive of Singapore Red Cross, said it was unfortunate that this case of mishandling of personal information of blood donors happened but hoped donors would not be deterred from giving blood. On average, 14 units of blood are used every hour in Singapore.
“Your blood saves lives,” he said. “Patients in hospitals who need blood transfusions continue to count on your donations.”
This article was first published in The Straits Times. Permission required for reproduction.