Rear view of a male doctor with stethoscope in hospital ward from Shutterstock.com

More than 800,000 individuals who have donated blood or have attempted to do so in Singapore had their personal particulars placed at risk over the Internet due to unauthorised access by a Health Sciences Authority (HSA) vendor for over two months.

In a statement on Friday (15 Mar), HSA revealed that it was only alerted by “a cybersecurity expert” to a vulnerability in its database, which was stored in one of Secur Solutions Group Pte Ltd (SSG)’s servers, two days prior to its announcement.

The expert proceeded to inform the Personal Data Protection Commission regarding the vulnerability a day later, following which the Commission had promptly forwarded the matter to the HSA, as the Authority is responsible for handling Singapore’s blood bank.

HSA said that it had “immediately worked with SSG to disable access to the database”, in addition to making a police report regarding the breach.

At 9.35 am, 22 minutes after HSA had received the alert from the Commission regarding the breach, the Authority instructed SSG to disable access to the database.

According to HSA, the database was fully secured at 10 a.m. against any further unauthorised access.

An SSG spokesperson told Straits Times that the affected server “was immediately secured upon notification of the unauthorised access”.

“We have engaged external cyber security professionals, KPMG in Singapore, and initiated a thorough review of our IT systems. We are working closely with HSA and other authorities in continuing investigations,” added the spokesperson.

According to ST, the cybersecurity expert, who HSA has declined to identify, is foreign and is based overseas.

“The expert has confirmed to HSA that he does not intend to disclose the contents of the database,” said the Authority, adding: “HSA is in contact with the expert on deleting the information”.

“SSG provides services to HSA and was working on a database containing registration-related information of 808,201 blood donors”, said HSA.

Some of the information stored in the database include those regarding the “name, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight” of over 800,000 people who have donated or registered to donate blood in Singapore since 1986.

However, the Authority assured that “the database contained no other sensitive, medical or contact information”.

HSA added that “no other unauthorised person had accessed the database” according to “preliminary findings from HSA’s review of the database logs”.

“HSA had provided the data to SSG for updating and testing,” according to the Authority.

ST reported that the relevant databases were HSA’s Westgate Tower and Woodlands blood banks’ databases.

The data was also provided by HSA to SSG for “testing purposes after some donors said their data was outdated”.

“SSG placed the information in an internet-facing server on 4 Jan 2019 and failed to institute adequate safeguards to prevent unauthorised access.

“It had done so without HSA’s knowledge and approval, and against its contractual obligations with HSA,” said the Authority.

Chief Executive Officer of HSA Dr Mimi Choong said in response to the breach: “We sincerely apologise to our blood donors for this lapse by our vendor.

“We would like to assure donors that HSA’s centralised blood bank system is not affected.

“HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information,” she added.

The Authority had also urged concerned donors whose particulars may have been affected by the breach to contact the Authority at its hotline number: 62200183.

The HSA database breach is the third cybersecurity breach concerning public healthcare databases in Singapore that has been reported thus far in recent months, following the HIV registry leak and Singapore’s largest cyberattack to date, the SingHealth data breach involving the particulars of around 1.5 million patients, including those of Prime Minister Lee Hsien Loong.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
You May Also Like

乐怡度假村成隔离设施 安置适合出院病患

卫生部也宣布,即日起职总白沙乐怡度假村,将作为社区隔离设施,容纳那些已康复、惟对武汉冠状病毒(COVID-19)测试呈阳性反应的病患。 该部指出,尽管当局已采取措施以减低病毒传播,不过仍作应对病例激增的准备,包括确保当前医疗设施有能力应付大量的病患。 当局指出,乐怡度假村可容纳500人,一些已康复且无需进一步治疗的病患,不过病毒测试仍呈阳性反应,就可安置在这里隔离。 有鉴于一些康复病患已不需医疗护理,让他们在医院隔离就未能有效率地善用医疗资源。 该部指出,社区隔离设施以现有政府隔离设施为蓝本,将以更高的传染病管控水准来管理。上述这些病患将在此隔离,直至他们对病毒测试呈阴性为止。 至于隔离设施的开销则由政府承担。

涉盗用信用卡签手机配套 男子被控触犯《滥用电脑法》

一名男子涉嫌盗用他人信用卡来签订手机配套,被警方逮捕后,今日被控触犯《滥用电脑法令》。 警方于周二(7月2日)发文告指出,一名32岁男子因为涉嫌未经授权就使用他人信用卡资料来购买手机配套,而被逮捕。 警方指出他们于周一(7月1日)接到来自一家电信公司的投报,指在5月22日至6月18日之间,该电信公司接到银行退款要求的通知单,并指有关未经授权的交易设计了多张信用卡。 警方指出,有关交易是为了订购手机配套和购买四部手机,总额高达2600元。 东陵警察局官员在确认了涉案男子身份后,与报案当日将他逮捕,一部手机被充公作为案件证物。 警方表示,他们相信嫌犯曾经参与其他的类似案件。 他今日将以触犯《滥用电脑法令》,而被控上法庭。若罪名成立,他可能被罚款不超过5000元,监禁不超过两年或两者兼施。若是第二次或重犯并被定罪,罚款将会增加至不超过一万元、或监禁不超过三年,或两者兼施。 警促持卡者采取预防措施 警方建议信用卡或借记卡持有者应采取措施,预防未经授权的使用,包括在使用卡购物时,采用一次性密码(OTP)简讯服务进行验证。 持有者也可以选择在使用卡购物或消费后,取得简讯通知的服务。 持卡人受促在发现任何欺诈性收费时,可查看对账单并立刻通知银行。

Coroner's inquiry into Benjamin Lim's death: Contradictory statements from school and mother about school camp

17 May 2016 In the Coroner’s inquiry held for the death of…

武吉巴督火灾,男子重返火海救爱犬伤重不治

日前(18日)武吉巴督SkyPeak 293D组屋26楼的单位凌晨失火,据民防部队的发文表示,他们从单位内救出一名男子与一名女子,当时男子灼伤且失去意识,送往黄廷方综合医院救治后转至新加坡中央医院;女子则吸入浓烟,送往新加坡中央医院治疗。 男子经抢救后仍不幸离世,据《海峡时报》了解,男子当时三度烧伤,因脑部缺氧意识不清,送院两天后即伤重不治。 据悉,男子原已逃离火灾现场,然因两只爱犬仍受困,故即重返火海。 据邻居表示,男子视爱犬为自己的“孩子和家人”,尽管爱犬获救,但男子却不幸离世,而妻子已出院。 警方于20日发文证实男子离世的消息,而该意外以非自然死亡案件在侦办中。 民防部队表示,经初步调查,相信火患意外的源头与屋内的电动个人代步工具有关。他们也在屋内找到三辆被烧毁的电动踏板车。 [Fire @ Block 293D Bukit Batok…