Following a recent series of security breaches affecting healthcare patients in Singapore, another health public sector agency reported that personal information of 808,201 blood donors was left vulnerable after a third-party vendor failed to securely protect a server containing data. The database had contained registration-related information such as donors’ name and national identification number and, in some instances, blood type and weight.
The Health Sciences Authority (HSA) was alerted on 13 March 2019 that one of its vendor’s servers contained a HSA database that was not adequately safeguarded against access over the internet. The vendor provides services to HSA and was working on a database containing registration-related information of the blood donors: Name, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight. The database contained no other sensitive, medical or contact information.
Cyber expert uncovered the vulnerability in the database
A cybersecurity expert had discovered this vulnerability and alerted the Personal Data Protection Commission. HSA immediately worked with SSG to disable access to the database.
The HSA have also made a Police report. The expert has confirmed to HSA that he does not intend to disclose the contents of the database. HSA is in contact with the expert on deleting the information.
Health Services Authority apologises for data breach
Chief Executive Officer of HSA, Dr Mimi Choong, said: “We sincerely apologise to our blood donors for this lapse by our vendor. We would like to assure donors that HSA’s centralised blood bank system is not affected. HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information.”
Third-party vendor failed to put in place adequate security measures
Investigations are ongoing. Preliminary findings from HSA’s review of the database logs show that other than the cybersecurity expert who raised the alert, no other unauthorised person had accessed the database. HSA had provided the data to the vendor for updating and testing.
They then placed the information in an internet-facing server on 4 Jan 2019 and failed to put in place adequate safeguards to prevent unauthorised access. It had done so without HSA’s knowledge and approval, and against its contractual obligations with HSA.