Another data breach: more than 800,000 blood donors’ personal information leaked online

HSA sorry for vendors' security lapse but assures centralised blood bank system not affected.

1623
Photo: YouTube screengrab

Singapore – Yet another breach of security occurred when the Health Sciences Authority (HSA) was alerted on Mar 13 (Wed) that the personal information of over 800,000 blood donors had been accidentally leaked online.

HSA released a statement on Mar 15 (Fri) regarding the improper handling of confidential information.

The organisation said that one of its vendors, Secur Solutions Group Pte Ltd (SSG) “was not adequately safeguarded against access over the internet” causing for the HSA database to be accessed by anyone online.

The vendor, which provides services to HSA, has been working on a database containing personal information of 808,201 of HSA’s blood donors. Information such as the name, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height, and weight were compromised.

According to the press release, the database contained no other sensitive, medical or contact information.

It was a cybersecurity expert who had first spotted the vulnerability and had immediately alerted the Personal Data Protection Commission. Soon after, HSA and SSG disabled access to the database and a police report was made.

“The expert has confirmed to HSA that he does not intend to disclose the contents of the database,” said HSA. “HSA is in contact with the expert on deleting the information.”

With the ongoing investigation, preliminary findings have shown no other unauthorised access to the database aside from the cybersecurity expert, during its period of vulnerability.

Furthermore, HSA explained that the information provided to SSG were for updating and testing purposes only. The vendor placed the data in an “internet-facing server” on January 4, 2019, and “failed to institute adequate safeguards to prevent unauthorised access.”

“It had done so without HSA’s knowledge and approval, and against its contractual obligations with HSA,” added the authority.

CEO of HSA Dr Mimi Choong has extended apologies for the incident, “We sincerely apologise to our blood donors for this lapse by our vendor. We would like to assure donors that HSA’s centralised blood bank system is not affected. HSA will also step up checks and monitoring of our vendors to ensure the safe, and proper use of blood donor information.”

Donors can call the hotline number 62200183 for more information.

HSA has also uploaded a letter of apology to their blood donors:

Photo: HSA website screengrab