Healthpoints redemption for 62,000 Healthy 365 accounts suspended due to abuse in QR code scanning: HPB

Users of the Healthy 365 app are awarded with Healthpoints when they scan QR codes meant for programmes such as health screening and health coaching. PHOTOS: SCREENGRABS FROM HEALTHY 365 APP

SINGAPORE - More than 60,000 users of the Health Promotion Board's (HPB) Healthy 365 app have had their Healthpoint rewards and redemption service suspended after anomalies were detected in the scanning of programme registration QR codes.

In response to queries from ST, the board said that an unusual surge in scanning activity was detected during the regular programme audits HPB conducts, and immediate action was taken to suspend the rewards and redemption service for about 62,000 accounts involved. As of March 31, the Healthy 365 app has been downloaded 1.8 million times, according to HPB.

Users of the Healthy 365 app are awarded with Healthpoints when they scan QR codes meant for programmes such as health screening and health coaching.

These can be redeemed through the app for vouchers to use at places such as Koi, Lazada or FairPrice.

HPB said that its investigation showed that most of the affected accounts scanned QR codes without attending the programme that the code was assigned to. Users who had attended the programmes had shared the QR code, without HPB's consent, with non-attendees.

In its reply to queries from ST, HPB emphasised that its programme QR codes are tied to specific HPB programmes meant for participants only.

Members of the public who receive QR codes from unverified sources are advised not to scan the codes, said HPB, adding that if in doubt, they should contact HPB for clarification.

The affected accounts were suspended on April 30. The suspension will continue till May 31, during which time the participation of the users in the relevant programmes will be verified, HPB said. Healthpoints and rewards improperly obtained from unauthorised QR code scans will also be clawed back.

Users can continue to accumulate Healthpoints in their accounts during the suspension period, it added.

As of Saturday, HPB had lifted the suspension on 17 accounts after the participation of these users in the programme the codes were meant for had been verified.

Several users posted about the suspension of their redemption service on HPB's Facebook page.

Facebook user Ezekiel Lim wrote on Thursday saying that the redemption service appeared to be suspended for "no apparent reason".

Other users commented on the same thread asking how long the review would take as they had expiring Healthpoints.

Mr Cubie Leng, 42, an architect, said that he felt HPB had not been clear that the QR code should not have been shared in that way.

Mr Leng, whose account was affected, told ST that the QR code had been circulated online, and when he received and scanned it, he "did not see a disclaimer that said you are not supposed to scan if you did not take part in the programme".

Mr Leng suggested that the QR codes should lead to a page that explains that if someone had not taken part in the programme, they should not scan it, and if it was found that it was still intentionally scanned, then HPB would reserve the right to take back the points given.

"The suspension has inconvenienced a lot of people, including many of my friends. Some of them have accumulated a few thousand points before this happened, and now they can't redeem them due to the suspension," he said.

HPB said that it tracks its programme registration QR codes to monitor unauthorised use.

"We would like to remind users that all Healthpoint transactions and QR code scans are monitored individually and any unauthorised scans can be detected," said HPB.

HPB added that it would be tightening its processes to safeguard against such cases of abuse.

It is looking into restricting the validity period of QR codes, conducting regular checks to ensure that the number of scans tally with programme attendance and suspending the rewards redemption service of any abuser's account for a period of at least one month as a deterrent against future abuse.

HPB also said that no personal data from Healthy 365 app users was compromised in the incident.

Join ST's Telegram channel and get the latest breaking news delivered to you.