The personal information of over 800,000 blood donors in Singapore has been exposed, through an unsecured database located on an internet-facing server.
According to the Health Sciences Authority (HSA), the data was exposed for nine weeks starting in January 2019, before being discovered by a cyber security expert who alerted Singapore’s Personal Data Protection Commission (PDPC).
Channel Asia understands that the cyber security expert who discovered the vulnerability is a not Singaporean, and is based overseas. HSA is in the contact with the expert to delete the exposed data.
The provider in question is Secur Solutions Group, contracted by HSA for services such as developing and maintaining the blood bank’s e-registration, re-booking, feedback and queue management systems.
The incident took place when the provider was working on a database containing the registration-related information of 808,201 blood donors, which included names, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight.
At this stage, it appears no other sensitive, medical or contact information was exposed, however, data included visitors to HSA’s blood banks inclusive of those who were unable to donate blood due to illnesses.
The data in question was provided to Secur Solutions Group from HSA for updating and testing due to feedback it received in late 2018 from donors that their data was not up to date.
Upon investigation, the data was placed on an internet-facing server on 4 January 2019, without putting the necessary safeguards in place to prevent unauthorised access.
This was done without HSA’s knowledge and approval, and against its contractual obligations with HSA.
“We sincerely apologise to our blood donors for this lapse by our vendor,” said Dr Mimi Choong, CEO of HSA. “We would like to assure donors that HSA's centralised blood bank system is not affected.
“HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information.”
Once alerted of the incident by a cyber security expert, HSA immediately worked with Secur Solutions Group to disable access to the database, subsequently made a police report.
While HSA continues to investigate this incident, preliminary findings do indicate that there was no unauthorised access to the exposed data, other than the cyber security expert who discovered the vulnerability and alerted the authorities, who has been instructed by HSA to delete the exposed data.
Investigations are ongoing, with the incident appearing to be unintentional, however, with the rise on regional data breaches and security incidents, including 2018's SingHealth data breach that exposed the personal information of 1.5 million patients, public and private organisations entrusted with the public's data need to not just be more careful but lay down adequate safeguards to protect against human error.