Photo from HSA press release

There was “more access” to the data of over 800,000 blood donors “than had been initially assessed by” vendor Secur Solutions Group (SSG), said the Health Sciences Authority on Sat (30 Mar), based on the vendor’s statement.

The Straits Times reported SSG as saying that “subsequent forensic analysis revealed that the server was also accessed suspiciously from several other IP addresses between Oct 22, 2018, and March 13 this year”.

“Based on this new information, SSG cannot exclude the possibility that registration-related information of donors on the server was exfiltrated,” said SSG, adding that no other “sensitive” information such as medical history or contact details was found in the database.

SSG also noted that while “there had also been attacks on the same server in 2017”, the attacks “were unrelated to the current incident, and there was no evidence to suggest that any HSA data was compromised”.

Separately, HSA assured in its statement that the “centralised blood bank system, which is not connected to the SSG server, remains secure”.

“HSA takes a serious view of this matter. SSG is in breach of its contractual obligations.

“Police investigations are continuing. HSA will decide on what steps it should take vis-à-vis SSG, once the investigations are concluded,” said HSA.

Questions regarding blood donor database leak to be raised in Parliament next week

At least eight Members of Parliament (MPs) will be filing questions on the blood donor database leak for the next Parliamentary session on Monday (1 Apr).

Aljunied GRC MP Sylvia Lim has raised the question regarding the extent of HSA’s responsibility in the matter, as well as if the Authority had adequately and reasonably carried out measures to protect the personal data of the blood donors.

Tanjong Pagar GRC MP Chia Shi-Lu has highlighted the series of data breaches involving the personal particulars of patients in the public healthcare sector, and asked as to whether there were certain major factors that leave the public healthcare IT systems particularly vulnerable to such incidents.

Health Minister Gan Kim Yong is also due to deliver a Ministerial speech on protecting the interests of patients.

Blood donor “database contained no other sensitive, medical or contact information”; not accessed by “other unauthorised: HSA

In its first statement on 15 Mar regarding the database breach, HSA revealed that it was only alerted by “a cybersecurity expert” to a vulnerability in its database, which was stored in one of Secur Solutions Group Pte Ltd (SSG)’s servers, two days prior to its announcement.

The expert proceeded to inform the Personal Data Protection Commission regarding the vulnerability a day later, following which the Commission had promptly forwarded the matter to the HSA, as the Authority is responsible for handling Singapore’s blood bank.

HSA said that it had “immediately worked with SSG to disable access to the database”, in addition to making a police report regarding the breach.

At 9.35 am, 22 minutes after HSA had received the alert from the Commission regarding the breach, the Authority instructed SSG to disable access to the database.

According to HSA, the database was fully secured at 10 a.m. against any further unauthorised access.

An SSG spokesperson told ST that the affected server “was immediately secured upon notification of the unauthorised access”.

“We have engaged external cyber security professionals, KPMG in Singapore, and initiated a thorough review of our IT systems. We are working closely with HSA and other authorities in continuing investigations,” added the spokesperson.

According to ST, the cybersecurity expert, who HSA has declined to identify, is foreign and is based overseas.

“The expert has confirmed to HSA that he does not intend to disclose the contents of the database,” said the Authority, adding: “HSA is in contact with the expert on deleting the information”.

“SSG provides services to HSA and was working on a database containing registration-related information of 808,201 blood donors”, said HSA.

Some of the information stored in the database include those regarding the “name, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight” of over 800,000 people who have donated or registered to donate blood in Singapore since 1986.

However, the Authority assured that “the database contained no other sensitive, medical or contact information”.

HSA added that “no other unauthorised person had accessed the database” according to “preliminary findings from HSA’s review of the database logs”.

“HSA had provided the data to SSG for updating and testing,” according to the Authority.

ST reported that the relevant databases were HSA’s Westgate Tower and Woodlands blood banks’ databases.

The data was also provided by HSA to SSG for “testing purposes after some donors said their data was outdated”.

“SSG placed the information in an internet-facing server on 4 Jan 2019 and failed to institute adequate safeguards to prevent unauthorised access.

“It had done so without HSA’s knowledge and approval, and against its contractual obligations with HSA,” said the Authority.

Chief Executive Officer of HSA Dr Mimi Choong said in response to the breach: “We sincerely apologise to our blood donors for this lapse by our vendor.

“We would like to assure donors that HSA’s centralised blood bank system is not affected.

“HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information,” she added.

The HSA database breach is the third cybersecurity breach concerning public healthcare databases in Singapore that has been reported thus far in recent months, following the HIV registry leak and Singapore’s largest cyberattack to date, the SingHealth data breach involving the particulars of around 1.5 million patients, including those of Prime Minister Lee Hsien Loong.

Subscribe
Notify of
0 Comments
Inline Feedbacks
View all comments
You May Also Like

对假消息和公共利益定义过于广泛 《新叙事》忧“泼马”阻吓异议和批评

本月13日,律政部长援引《防止网络假消息和网络操纵法令》,向历史学者兼《新叙事》总监覃炳鑫博士发出更正指示。 根据《防假消息法》办公处文告,当局认为覃炳鑫在本月8日发布在Youtube的视频,对于《防假消息法》含有不实声明。 对此,《新叙事》昨日发声明回应,表示他们会遵守有关指示,但仍会透过合适管道进行上诉。 不过,他们欣慰政府的声明作出两项说明,即《防假消息法》仅针对虚假事实陈述(第2(2)条文),不适用于意见观点。 “批评属于意见,不是事实陈述,也不在《防假消息法》的范围内。基于事实的批判也不受该法约束。” 对此,《新叙事》反驳,诚如视频中所言,他们认为《防假消息法》对所谓假消息和公共利益的定义过于广泛,理论上,这使得对新加坡政府所有的批评,似乎都可能被认为是“虚假的”。 “尽管政府再三保证能容纳批评,遗憾的是我们难以置信。” 该社认为,更正指示似乎在阻吓独立媒体,对公民当中和异议者制造恐惧,故此谴责《防假消息法》实为不公正、不民主的法律,故此呼吁民众共同检讨之。 同时,他们也欢迎内政兼律政部长尚穆根,针对此事进行辩论。

Singapore leads Asia in resilience to ageing and automation; will face substantial financial impact due to ill-health of ageing workforce

The Ageing and Automation Resilience Index by Mercer and Marsh & Mclennan…

900,000 Singaporean HDB households will receive next instalment of GST Voucher – Utilities-Save (U-Save) rebate

About 900,000 Singaporean HDB households will receive the next instalment of the…

Singaporean abolitionist groups call for halt to execution scheduled for 21 April

We Believe in Second Chances and the Singapore Anti-Death Penalty Campaign has…