More than 60,000 users of the Health Promotion Board's (HPB) Healthy 365 app had their Healthpoint reward and redemption service suspended after anomalies were detected in the scanning of programme registration QR codes.
In response to queries from The Straits Times, the board said an unusual surge in scanning activity was detected during its regular programme audits, and immediate action was taken to suspend the reward and redemption service for about 62,000 accounts involved.
As of March 31, the Healthy 365 app had been downloaded 1.8 million times, HPB said. Users get Healthpoints when they scan QR codes for programmes such as health screening and coaching. These can be redeemed through the app for vouchers.
HPB said its probe found most of the affected account holders scanned QR codes without attending the relevant programme. Users who had attended them had shared the QR codes, without HPB's consent, with non-attendees.
The affected accounts were suspended on April 30. The suspension will continue till May 31, during which time the participation of users in the relevant programmes will be verified, HPB said. Healthpoints and rewards obtained from unauthorised QR code scans will also be clawed back.
Users can continue to accumulate Healthpoints in their accounts during the suspension period, it added.
Several users posted about the suspension of their redemption service on HPB's Facebook page. Last Thursday, Facebook user Ezekiel Lim wrote that the redemption service appeared to be suspended for "no apparent reason".
Others asked how long the review would take as they had expiring Healthpoints.
Mr Cubie Leng, 42, an architect, said he felt HPB had not been clear that the QR code should not have been shared in that way.
Mr Leng, whose account was affected, told ST that the QR code had been circulated online, and when he received and scanned it, he "did not see a disclaimer that said you are not supposed to scan if you did not take part in the programme".
HPB said it tracks its programme registration QR codes to monitor unauthorised use. It added it would be tightening its processes to safeguard against such cases of abuse.
It is also looking into restricting the validity period of QR codes, doing regular checks to ensure that the scans tally with programme attendance, and suspending the rewards redemption for abusers' accounts for at least one month as a deterrent against future abuse.
HPB also said no personal data from Healthy 365 app users was compromised in the incident.