Blood donors' data accessed illegally, possibly stolen

Donors completing a questionnaire before donating blood. Personal information of more than 800,000 blood donors was put online improperly for over two months by a vendor of the Health Sciences Authority.
Donors completing a questionnaire before donating blood. Personal information of more than 800,000 blood donors was put online improperly for over two months by a vendor of the Health Sciences Authority.ST FILE PHOTO

HSA vendor says forensic analysis revealed server was accessed from several addresses

The personal information of more than 800,000 blood donors which was put online improperly for over two months was accessed illegally and possibly stolen, a Health Sciences Authority (HSA) vendor responsible for the mistake said yesterday.

The initial assumption, that a foreign cyber-security expert who had spotted the vulnerability in the server was the only person who had accessed it, was found not to be the case.

Yesterday, Secur Solutions Group (SSG), an independent vendor of HSA, said the server had also been accessed from several other IP addresses.

The database containing the personal information of blood donors was uploaded to the server around October last year.

This information included the names, NRIC numbers, gender and number of donations of people who have donated or registered to donate blood in Singapore since 1986. In some cases, donors' blood type, height, weight and the dates of their last three donations were also included.

On March 13, HSA told SSG that a US cyber-security expert had found that the registration-related information of donors could be accessed because of a vulnerability in the server used by SSG.

CAUSE FOR GREAT CONCERN

I think it's worrying that these sort of data leaks keep happening, especially since we're increasingly reliant on technology these days and all our data is online.

STUDENT MEGAN KOH, who donates blood regularly.

The server was immediately cut off from the Internet and secured, said SSG.

The vendor engaged external cyber-security professionals, KPMG in Singapore, to undertake forensic analysis. It also initiated a thorough review of its IT systems.

Preliminary examination had found that the unauthorised access was made by only the US cyber-security expert, who said he did not intend to disclose the database and was working with the authority to delete the information.

But subsequent forensic analysis revealed that the server was also accessed suspiciously from several other IP addresses between Oct 22 last year and March 13 this year.

SSG said in its statement: "Based on this new information, SSG cannot exclude the possibility that registration-related information of donors on the server was exfiltrated."

The vendor added that the database contains no other sensitive, medical or contact information.

SSG said that there had also been attacks on the same server in 2017. However, these were unrelated to the current incident, and there was no evidence to suggest any HSA data was compromised.

It is continuing its investigations into the matter, and is cooperating fully with the police and HSA. It also apologised to all the affected blood donors.

 
 
 

In a statement, HSA said it was aware of the situation, and added that it takes a serious view of the matter, which the police are investigating. The agency said that SSG was in breach of its contractual obligations and it would decide the steps it should take regarding the vendor once investigations are concluded.

HSA added that its centralised blood bank system, which is not connected to the SSG server, remains secure.

Student Megan Koh, 19, who donates blood regularly, said: "I think it's worrying that these sort of data leaks keep happening, especially since we're increasingly reliant on technology these days and all our data is online."

This is the third IT incident to strike the healthcare sector in recent months.

In January, the Ministry of Health (MOH) revealed that the confidential information of 14,200 HIV-positive individuals had been leaked online by Mikhy Farrera-Brochez, an American who had lived in Singapore.

In February, MOH said a computer error had resulted in 7,700 people receiving inaccurate healthcare subsidies when they applied for or renewed their Community Health Assist Scheme cards last September and October.

A version of this article appeared in the print edition of The Sunday Times on March 31, 2019, with the headline 'Blood donors' data accessed illegally, possibly stolen'. Print Edition | Subscribe