There was “more access” to the data of over 800,000 blood donors “than had been initially assessed by” vendor Secur Solutions Group (SSG), said the Health Sciences Authority on Sat (30 Mar), based on the vendor’s statement.
The Straits Times reported SSG as saying that “subsequent forensic analysis revealed that the server was also accessed suspiciously from several other IP addresses between Oct 22, 2018, and March 13 this year”.
“Based on this new information, SSG cannot exclude the possibility that registration-related information of donors on the server was exfiltrated,” said SSG, adding that no other “sensitive” information such as medical history or contact details was found in the database.
SSG also noted that while “there had also been attacks on the same server in 2017”, the attacks “were unrelated to the current incident, and there was no evidence to suggest that any HSA data was compromised”.
Separately, HSA assured in its statement that the “centralised blood bank system, which is not connected to the SSG server, remains secure”.
“HSA takes a serious view of this matter. SSG is in breach of its contractual obligations.
“Police investigations are continuing. HSA will decide on what steps it should take vis-à-vis SSG, once the investigations are concluded,” said HSA.
Questions regarding blood donor database leak to be raised in Parliament next week
At least eight Members of Parliament (MPs) will be filing questions on the blood donor database leak for the next Parliamentary session on Monday (1 Apr).
Aljunied GRC MP Sylvia Lim has raised the question regarding the extent of HSA’s responsibility in the matter, as well as if the Authority had adequately and reasonably carried out measures to protect the personal data of the blood donors.
Tanjong Pagar GRC MP Chia Shi-Lu has highlighted the series of data breaches involving the personal particulars of patients in the public healthcare sector, and asked as to whether there were certain major factors that leave the public healthcare IT systems particularly vulnerable to such incidents.
Health Minister Gan Kim Yong is also due to deliver a Ministerial speech on protecting the interests of patients.
Blood donor “database contained no other sensitive, medical or contact information”; not accessed by “other unauthorised: HSA
In its first statement on 15 Mar regarding the database breach, HSA revealed that it was only alerted by “a cybersecurity expert” to a vulnerability in its database, which was stored in one of Secur Solutions Group Pte Ltd (SSG)’s servers, two days prior to its announcement.
The expert proceeded to inform the Personal Data Protection Commission regarding the vulnerability a day later, following which the Commission had promptly forwarded the matter to the HSA, as the Authority is responsible for handling Singapore’s blood bank.
HSA said that it had “immediately worked with SSG to disable access to the database”, in addition to making a police report regarding the breach.
At 9.35 am, 22 minutes after HSA had received the alert from the Commission regarding the breach, the Authority instructed SSG to disable access to the database.
According to HSA, the database was fully secured at 10 a.m. against any further unauthorised access.
An SSG spokesperson told ST that the affected server “was immediately secured upon notification of the unauthorised access”.
“We have engaged external cyber security professionals, KPMG in Singapore, and initiated a thorough review of our IT systems. We are working closely with HSA and other authorities in continuing investigations,” added the spokesperson.
According to ST, the cybersecurity expert, who HSA has declined to identify, is foreign and is based overseas.
“The expert has confirmed to HSA that he does not intend to disclose the contents of the database,” said the Authority, adding: “HSA is in contact with the expert on deleting the information”.
“SSG provides services to HSA and was working on a database containing registration-related information of 808,201 blood donors”, said HSA.
Some of the information stored in the database include those regarding the “name, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight” of over 800,000 people who have donated or registered to donate blood in Singapore since 1986.
However, the Authority assured that “the database contained no other sensitive, medical or contact information”.
HSA added that “no other unauthorised person had accessed the database” according to “preliminary findings from HSA’s review of the database logs”.
“HSA had provided the data to SSG for updating and testing,” according to the Authority.
ST reported that the relevant databases were HSA’s Westgate Tower and Woodlands blood banks’ databases.
The data was also provided by HSA to SSG for “testing purposes after some donors said their data was outdated”.
“SSG placed the information in an internet-facing server on 4 Jan 2019 and failed to institute adequate safeguards to prevent unauthorised access.
“It had done so without HSA’s knowledge and approval, and against its contractual obligations with HSA,” said the Authority.
Chief Executive Officer of HSA Dr Mimi Choong said in response to the breach: “We sincerely apologise to our blood donors for this lapse by our vendor.
“We would like to assure donors that HSA’s centralised blood bank system is not affected.
“HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information,” she added.
The HSA database breach is the third cybersecurity breach concerning public healthcare databases in Singapore that has been reported thus far in recent months, following the HIV registry leak and Singapore’s largest cyberattack to date, the SingHealth data breach involving the particulars of around 1.5 million patients, including those of Prime Minister Lee Hsien Loong.
