Parliament: HSA sets up panel to review management of sensitive data following breach

The personal information of more than 800,000 blood donors had been uploaded to a server in October last year without proper safeguards by HSA's vendor Secur Solutions Group.
The personal information of more than 800,000 blood donors had been uploaded to a server in October last year without proper safeguards by HSA's vendor Secur Solutions Group.PHOTO: ST FILE

SINGAPORE - The Health Sciences Authority (HSA) has set up a board committee to review its current policies and processes for managing sensitive data, and recommend appropriate measures. This comes on the heels of a data breach involving the personal information of more than 800,000 blood donors, said Senior Minister of State for Health Edwin Tong on Monday (April 1).

The Ministry of Health (MOH) and its agencies will also review the life-cycle management of the data being handled by their existing information technology (IT) vendors.

"The measures to be taken to prevent a similar occurrence will be shaped by what specific findings arise from the ongoing investigations into the incident," Mr Tong added, in response to questions from MPs on the additional steps that the MOH and HSA can take to reduce the risk of data mismanagement.

The breached blood donor information had been uploaded to a server in October last year without appropriate safeguards by HSA's vendor, Secur Solutions Group, which was appointed to maintain and enhance the queue management system for blood donors.

Initially, it was thought that the data had been accessed only by a United States cyber-security expert who spotted the vulnerability in the server in March.

But subsequent forensic analysis showed that the server was also accessed suspiciously from several other IP addresses between October last year and March, Secur Solutions Group said last Saturday.

Mr Tong said that investigations are continuing, and a further update will be provided when available.

 
 
 
 

The MOH and its agencies will cooperate fully with the Public Sector Data Security Review Committee, he added.

Meanwhile, Prime Minister Lee Hsien Loong has convened a committee to conduct a comprehensive review of data security practices across the entire public service.

Announced on Sunday, it is chaired by Deputy Prime Minister Teo Chee Hean and will recommend technical measures and the capabilities needed to improve the Government’s response to incidents and protect citizens’ data, and develop an action plan to implement them in the immediate and longer term.

The HSA's board committee is being chaired by Mr Max Loh, chairman of the HSA board's audit and risk committee, and includes members from the Government Technology Agency (GovTech).

Mr Tong told the House the cybersecurity expert who spotted the HSA vulnerability works for a company that specialises in identifying and reporting vulnerabilities of IT systems, and was not employed or engaged by the HSA or MOH.

The expert informed the HSA on March 16 that he had deleted his copy of the data and has no intention of disclosing its contents. He did not seek any compensation either.

"We will not be taking any legal action against him because he had reported the vulnerability to us straight away, and had no intention to keep, use or expose the contents of the database, and has not done so," said Mr Tong.

He also agreed with Dr Chia Shi-Lu’s (Tanjong Pagar GRC) call to streamline the procurement IT services across its departments, statutory boards and public hospitals to reduce personal data access by multiple vendors.

"We agree, and have done so progressively in the public healthcare family, where we are able to do so," said Mr Tong.

Meanwhile, Non-Constituency MP Dennis Tan asked why the data was placed on a server accessible through the Internet and how the cyber security expert gained access to the data and whether his conduct was in breach of the law.

Mr Tong replied that these matters are covered by the ongoing investigations, and information will be provided when they are verified.

Minister for Communications and Information S. Iswaran said that the Personal Data Protection Commission is investigating Secur Solutions Group.

If found to be in breach of the Personal Data Protection Act, the commission will take the appropriate enforcement actions against the company, such as issuing directions and imposing financial penalties.

As the HSA is a government agency, the Smart Nation and Digital Government Group is also conducting an investigation into the incident, he added.