Improper Handling of Personal Information of Blood Donors
The Health Sciences Authority (HSA) was alerted on 13 March 2019 that one of its vendor’s servers contained a HSA database that was not adequately safeguarded against access over the internet. The vendor is Secur Solutions Group Pte Ltd (SSG). SSG provides services to HSA and was working on a database containing registration-related information of 808,201 blood donors: Name, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight. The database contained no other sensitive, medical or contact information.
2. A cybersecurity expert had discovered this vulnerability and alerted the Personal Data Protection Commission. HSA immediately worked with SSG to disable access to the database. We have also made a Police report. The expert has confirmed to HSA that he does not intend to disclose the contents of the database. HSA is in contact with the expert on deleting the information.
3. Investigations are ongoing. Preliminary findings from HSA's review of the database logs show that other than the cybersecurity expert who raised the alert, no other unauthorised person had accessed the database.
4. HSA had provided the data to SSG for updating and testing. SSG placed the information in an internet-facing server on 4 Jan 2019 and failed to institute adequate safeguards to prevent unauthorised access. It had done so without HSA’s knowledge and approval, and against its contractual obligations with HSA.
5. Chief Executive Officer of HSA, Dr Mimi Choong, said: “We sincerely apologise to our blood donors for this lapse by our vendor. We would like to assure donors that HSA's centralised blood bank system is not affected. HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information.”
6. More details can be found at this link on HSA’s website https://www.hsa.gov.sg/content/hsa/en/News_Events/HSA_Updates/2019/letter-to-blood-donor.html. Donors can also contact HSA at the following hotline number 62200183.
HEALTH SCIENCES AUTHORITY
15 MARCH 2019