800,000 blood donors' data put online by HSA vendor

Access to database cut off soon after foreign cyber-security expert discovered breach and raised alert

The affected database contained the names, NRIC numbers, gender and number of donations of people who have donated or registered to donate blood in Singapore since 1986. PHOTO: ST FILE

The personal information of more than 800,000 blood donors was improperly put online by a Health Sciences Authority (HSA) vendor for over two months, in the third IT incident to strike the healthcare sector in as many months.

The affected database contained the names, NRIC numbers, gender and number of donations of people who have donated or registered to donate blood in Singapore since 1986. For some, their blood type, height, weight and the dates of their last three donations were also included.

Disclosing the breach yesterday, the HSA said access to the database was cut off soon after the discovery.

The database had been placed on a server accessible via the Internet on Jan 4 by a vendor without adequate safeguards against unauthorised access, without the HSA's knowledge and approval. But it was accessible only through a database client and not a Web browser, the HSA said.

Its preliminary findings indicate that there was only one instance of external access - by a cyber-security expert who discovered the vulnerability on Tuesday and alerted the Personal Data Protection Commission to it a day later.

At 9.13am on Wednesday, the commission informed the HSA - which is in charge of the national blood bank - of the breach. At 9.35am, the HSA contacted Secur Solutions Group, the vendor working on the database, and instructed it to disable access to the information.

At 10am, the database was fully secured and no further unauthorised access was possible, said the HSA. The authority also took steps to verify that no other sensitive, medical or contact information was in the database.

"I am really deeply sorry for this lapse on the part of our vendor," said HSA chief executive Mimi Choong. "Blood donors have provided invaluable support for our national blood programme all these years; we really appreciate their contributions. Rest assured that the confidentiality of their information given to us is our utmost priority, and we really hope our donors will continue to trust us to do the right thing."

Dr Choong stressed that the HSA's centralised blood bank system, which is separated from the Internet and secured, is not affected.

A spokesman for Secur Solutions Group said the affected server "was immediately secured upon notification of the unauthorised access".

"We have engaged external cyber-security professionals, KPMG in Singapore, and initiated a thorough review of our IT systems. We are working closely with the HSA and other authorities in continuing investigations," he said.

The HSA has made a police report about the breach. It said the foreign cyber-security expert who discovered the vulnerability, who is based overseas, has said he does not intend to disclose the database and is working with the authority to delete the information. The HSA declined to disclose the details of his identity.

The data that was improperly put online is used at blood banks to ensure donors' appointments and registrations are seamless and efficient. It was given to the vendor to update the databases at the HSA's Westgate Tower and Woodlands blood banks after some donors said their data was outdated.

The HSA said that while it is still working with the vendor, it is considering available legal options, including terminating the vendor's services. The authority is also working with its other vendors to ensure that the rest of its data is secure.

In January, the Ministry of Health revealed that the confidential information of 14,200 HIV-positive individuals had been leaked online by an American - Mikhy Farrera-Brochez.

Last month, it said that a computer error had resulted in 7,700 people receiving inaccurate healthcare subsidies when they applied for or renewed their Community Health Assist Scheme cards in September and October last year.

Mr Movin Nyanasengeran, 27, an ecology research assistant who has been donating blood regularly for eight years, hoped that the incident is another wake-up call on the importance of data protection.

"I would have thought the authorities handling personal data would be much more cautious after the HIV Registry data leak," he said. "Luckily, most of the data is not sensitive, besides NRIC numbers."

Dr Choong said the HSA will step up checks and monitoring of its vendors to ensure the safe and proper use of blood donor information.

Singapore Red Cross secretary-general and chief executive Benjamin William said it was unfortunate that this incident of mishandling of blood donors' personal information took place, but hoped donors would not be deterred from giving blood.

"Your blood saves lives. Patients in hospitals who need blood transfusions continue to count on your donations," he said.

Join ST's WhatsApp Channel and get the latest news and must-reads.

A version of this article appeared in the print edition of The Straits Times on March 16, 2019, with the headline 800,000 blood donors' data put online by HSA vendor. Subscribe