The Health Sciences Authority (HSA) has set up a committee to review its policies and processes for managing sensitive data, and recommend appropriate measures.
This comes on the heels of a data breach involving the personal information of more than 800,000 blood donors, Senior Minister of State for Health Edwin Tong said in Parliament yesterday.
The Health Ministry and its agencies will also review the life cycle management of the data being handled by their existing information technology vendors.
The leaked data had been uploaded to a server last October without appropriate safeguards by HSA's vendor, Secur Solutions Group, which was appointed to maintain and enhance the queue management system for blood donors.
Initially, it was thought the data had been accessed only by a US cyber-security expert who had spotted the vulnerability in the server last month. But subsequent forensic analysis showed the server was also accessed suspiciously from several other IP addresses between last October and March this year, Secur Solutions Group said last Saturday.
Mr Tong said investigations are continuing.
Meanwhile, a committee has been convened by Prime Minister Lee Hsien Loong to conduct a comprehensive review of data security practices across the entire public service.
Announced on Sunday, it is chaired by Deputy Prime Minister Teo Chee Hean, and will recommend technical measures and the capabilities needed to improve the Government's response to incidents and protect citizens' data, as well as develop an action plan to implement them.
As for the HSA's board committee, it is chaired by Mr Max Loh, chairman of the HSA board's audit and risk committee, and includes members from the Government Technology Agency.
Mr Tong told the House that the cyber-security expert who spotted the HSA vulnerability works for a company that specialises in identifying and reporting vulnerabilities of IT systems. The person was not employed or engaged by the HSA or the Health Ministry.
The expert informed the HSA on March 16 that he had deleted his copy of the data and had no intention of disclosing its contents. He did not seek any compensation either.
"We will not be taking any legal action against him because he had reported the vulnerability to us straightaway, and had no inten-tion to keep, use or expose the contents of the database, and has not done so," said the Senior Minister of State.
Mr Tong also agreed with Dr Chia Shi-Lu's (Tanjong Pagar GRC) idea to streamline the procurement of IT services across its departments, statutory boards and public hospitals to reduce personal data access by multiple vendors.
"We have done so progressively in the public healthcare family, where we are able to do so," he added.
Minister for Communications and Information S. Iswaran said that the Personal Data Protection Commission is investigating Secur Solutions Group.
If found to be in breach of the Personal Data Protection Act, the commission will take action against the company.
As HSA is a government agency, the Smart Nation and Digital Government Group is also conducting an investigation into the incident, he added.
