SINGAPORE: The personal information of 808,201 blood donors in Singapore was left exposed on the Internet for a period of nine weeks from Jan 4, after the data was mishandled by a vendor of the Health Sciences Authority (HSA).
The information was only secured on Wednesday (Mar 13) after a cybersecurity expert discovered the vulnerability.
AdvertisementThe vendor, Secur Solutions Group, had been given a copy of all HSA's blood donor records for updating, said HSA, after some donors who used the self-help kiosks said that their personal information was not up to date.
The tech vendor then placed the information on an unsecured database that was connected to the Internet on Jan 4 this year, and failed to put in place adequate safeguards to prevent unauthorised access, HSA said.
Information on the database included names, NRIC numbers, gender, number of blood donations, dates of the last three blood donations and, in some cases, blood type, height and weight.
"The database contained no other sensitive, medical or contact information," said HSA in a media release.
AdvertisementAdvertisementThe vendor's decision to put the donor data on an Internet-facing, unsecured database was done without HSA's knowledge and approval, the agency said, adding that it has made a police report.
On Mar 13 at 9.13am, HSA was informed by the Personal Data Protection Commission (PDPC) that a cybersecurity expert had alerted them to the database vulnerability. HSA then contacted Secur Solutions at 9.35am to remove the unsecured database from the Internet, and it was fully secured at 10am, it said.
Preliminary investigations by HSA showed that its centralised blood bank systems were not affected, and other than the cybersecurity expert who flagged the vulnerability, no other unauthorised person had accessed the database online.
“The expert has confirmed to HSA that he does not intend to disclose the contents of the database,” it said. “HSA is in contact with the expert on deleting the information.”
HSA CEO Mimi Choong apologised to blood donors over the lapse by its vendor.
"We would like to assure donors that HSA's centralised blood bank system is not affected," she said.
"HSA will also stop up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information."
In a separate media release on Friday, Secur Solutions Group said it is conducting a thorough review of its IT systems.
“The affected server was immediately secured upon notification of the unauthorised access," said a spokesperson. "We have engaged external cybersecurity professionals, KPMG in Singapore, and initiated a thorough review of our IT systems. We are working closely with HSA and other authorities in continuing investigations.”
This is the fourth IT-related incident to have hit the Health Ministry in the past nine months, including the SingHealth cyberattack last June that saw 1.5 million Singaporeans’ health records stolen.
Let's block ads! (Why?)
More...