Personal information of over 800,000 blood donors exposed online: HSA

SINGAPORE – The personal information of more than 800,000 blood donors in Singapore was accidentally put online by a Health Sciences Authority (HSA) vendor, but access to the database was cut off soon after the discovery.

Disclosing this in a statement on Friday (March 15), the HSA said its preliminary findings indicate that there was only one instance of external access – by a cyber security expert who discovered the vulnerability on Tuesday (March 12) and alerted the Personal Data Protection Commission (PDPC) to it a day later.

The Commission informed the HSA, which is in charge of the national blood bank.

The HSA then contacted the vendor working on the database, Secur Solutions Group, and instructed it to disable access to the information.

The database contained registration information about everyone who has ever donated blood in Singapore, or who tried to donate blood and were turned away. This includes their name, NRIC number, gender, number of blood donations and the dates of their last three blood donations. Some donors’ blood type, height and weight were also included in the database.

“The database contained no other sensitive, medical or contact information,” HSA said.

The data had been provided to the vendor for updating and testing purposes, it added.

It was placed on a server accessible through the Internet on Jan 4 without adequate safeguards to prevent unauthorised access. This was done without HSA’s knowledge and approval, and was against the vendor’s contractual obligations, HSA said.

The cyber security consultant who accessed the data has told the HSA that he does not intend to disclose it and is working with the agency to delete the information, it added.

Said HSA chief executive, Dr Mimi Choong: “We sincerely apologise to our blood donors for this lapse by our vendor. We would like to assure donors that HSA’s centralised blood bank system is not affected.

“HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information,” she added.

Source: Read Full Article