Photo from HSA press release

There was “more access” to the data of over 800,000 blood donors “than had been initially assessed by” vendor Secur Solutions Group (SSG), said the Health Sciences Authority on Sat (30 Mar), based on the vendor’s statement.

The Straits Times reported SSG as saying that “subsequent forensic analysis revealed that the server was also accessed suspiciously from several other IP addresses between Oct 22, 2018, and March 13 this year”.

“Based on this new information, SSG cannot exclude the possibility that registration-related information of donors on the server was exfiltrated,” said SSG, adding that no other “sensitive” information such as medical history or contact details was found in the database.

SSG also noted that while “there had also been attacks on the same server in 2017”, the attacks “were unrelated to the current incident, and there was no evidence to suggest that any HSA data was compromised”.

Separately, HSA assured in its statement that the “centralised blood bank system, which is not connected to the SSG server, remains secure”.

“HSA takes a serious view of this matter. SSG is in breach of its contractual obligations.

“Police investigations are continuing. HSA will decide on what steps it should take vis-à-vis SSG, once the investigations are concluded,” said HSA.

Questions regarding blood donor database leak to be raised in Parliament next week

At least eight Members of Parliament (MPs) will be filing questions on the blood donor database leak for the next Parliamentary session on Monday (1 Apr).

Aljunied GRC MP Sylvia Lim has raised the question regarding the extent of HSA’s responsibility in the matter, as well as if the Authority had adequately and reasonably carried out measures to protect the personal data of the blood donors.

Tanjong Pagar GRC MP Chia Shi-Lu has highlighted the series of data breaches involving the personal particulars of patients in the public healthcare sector, and asked as to whether there were certain major factors that leave the public healthcare IT systems particularly vulnerable to such incidents.

Health Minister Gan Kim Yong is also due to deliver a Ministerial speech on protecting the interests of patients.

Blood donor “database contained no other sensitive, medical or contact information”; not accessed by “other unauthorised: HSA

In its first statement on 15 Mar regarding the database breach, HSA revealed that it was only alerted by “a cybersecurity expert” to a vulnerability in its database, which was stored in one of Secur Solutions Group Pte Ltd (SSG)’s servers, two days prior to its announcement.

The expert proceeded to inform the Personal Data Protection Commission regarding the vulnerability a day later, following which the Commission had promptly forwarded the matter to the HSA, as the Authority is responsible for handling Singapore’s blood bank.

HSA said that it had “immediately worked with SSG to disable access to the database”, in addition to making a police report regarding the breach.

At 9.35 am, 22 minutes after HSA had received the alert from the Commission regarding the breach, the Authority instructed SSG to disable access to the database.

According to HSA, the database was fully secured at 10 a.m. against any further unauthorised access.

An SSG spokesperson told ST that the affected server “was immediately secured upon notification of the unauthorised access”.

“We have engaged external cyber security professionals, KPMG in Singapore, and initiated a thorough review of our IT systems. We are working closely with HSA and other authorities in continuing investigations,” added the spokesperson.

According to ST, the cybersecurity expert, who HSA has declined to identify, is foreign and is based overseas.

“The expert has confirmed to HSA that he does not intend to disclose the contents of the database,” said the Authority, adding: “HSA is in contact with the expert on deleting the information”.

“SSG provides services to HSA and was working on a database containing registration-related information of 808,201 blood donors”, said HSA.

Some of the information stored in the database include those regarding the “name, NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight” of over 800,000 people who have donated or registered to donate blood in Singapore since 1986.

However, the Authority assured that “the database contained no other sensitive, medical or contact information”.

HSA added that “no other unauthorised person had accessed the database” according to “preliminary findings from HSA’s review of the database logs”.

“HSA had provided the data to SSG for updating and testing,” according to the Authority.

ST reported that the relevant databases were HSA’s Westgate Tower and Woodlands blood banks’ databases.

The data was also provided by HSA to SSG for “testing purposes after some donors said their data was outdated”.

“SSG placed the information in an internet-facing server on 4 Jan 2019 and failed to institute adequate safeguards to prevent unauthorised access.

“It had done so without HSA’s knowledge and approval, and against its contractual obligations with HSA,” said the Authority.

Chief Executive Officer of HSA Dr Mimi Choong said in response to the breach: “We sincerely apologise to our blood donors for this lapse by our vendor.

“We would like to assure donors that HSA’s centralised blood bank system is not affected.

“HSA will also step up checks and monitoring of our vendors to ensure the safe and proper use of blood donor information,” she added.

The HSA database breach is the third cybersecurity breach concerning public healthcare databases in Singapore that has been reported thus far in recent months, following the HIV registry leak and Singapore’s largest cyberattack to date, the SingHealth data breach involving the particulars of around 1.5 million patients, including those of Prime Minister Lee Hsien Loong.

Notify of
Inline Feedbacks
View all comments
You May Also Like

受疫情影响新航净亏2.12亿元 总裁吴俊鹏上财年仍有4百万入袋

新加坡航空公司总裁吴俊鹏,上财年(至今年3月31日)总薪酬仍超过4百万新元,其中包括了其基本工资、花红、股份等。 根据新航最新发布的年报指出,新航首席执行官吴俊鹏于今年3月31日前,收入422万3千274元,包括了其基本薪资137万4千950元、花红104万6千967元、股份164万3千940元和福利15万7千417元。 在上个财政年度,他的总收入接近550万元。 除了吴俊鹏,新航主席佘林发也获得报酬,共80万零95元。比较上个财政年度,其总薪酬为80万9千519元,稍微下跌了一点。 与此同时,佘林发也是星展控股集团主席,同时是新加坡政府投资公司的董事会成员之一。 根据报告指出,新航截至今年3月31日,共损失了2.12亿元,而上一年度财政的利润达6.827亿元,但到了今年却达每股净亏损17.9分,而上一财年每股净收益为57.4分。 这也是新航在48年以来首次出现亏损,由于疫情在全球肆虐,导致航空需求急速下降。 今年3月,因受疫情影响,新航的财务状况急速恶化,使淡马锡控股出手拯救新航。 淡马锡宣布将承保最高150亿元的新航股票和可转换的债务,星展银行还向新航提供40亿元的过渡性贷款,直至供股获得资金。 新航目前已经大幅度削减其飞行时间,约1万名工作人员为此受到影响,许多机组人员由于新航的状况,而被迫打零工和兼职工作。 一名不愿透露姓名的27岁新航空姐表示,他确实需要一份兼职支付房租,他表示过去常拿送餐员开玩笑,如今却是需要了。 无论如何,随着淡马锡的解救,吴俊鹏表示,他已从4月份开始减薪30巴仙,但任吴俊鹏如何减薪,但至少还是保住了工作,而其他的机组人员则不得而知,可能都在为生活而挣扎。

Hong Kong and Macau suspend Pfizer/BioNTech vaccine over ‘flawed’ vials

Hong Kong and Macau on Wednesday said they were suspending the use…

马废除国安法令 人民之声促释放恶法下被扣少年

根据马新社报导,马来西亚首相敦马哈迪称,希望联盟(Pakatan Harapan)政府将履行的承诺,废除2012年国家安全行动(特别措施)法令。 敦马称,有关法令在前首相纳吉领导期间通过,允许政府未经审讯可扣留任何人士,“就算被扣人士在狱中死亡,也不会有任何人需负责,这就是纳吉通过的法令。” 他说,希盟政府承诺将继续维护法治精神,以良法保障人民权益,涉嫌犯罪必先经过法庭审讯,由法庭裁决。 其他将被检讨的法令包括1948年煽动法令、1959年防范罪案法令、1971年大专法令、1984年印刷与出版法令等。 当初纳吉宣布废除内安法令,还受到国阵成员追捧“开明”,但不久又在国会通过国安法,其中仍有未审先扣的条例,开司法改革倒车。 国安法下1600人被扣 马来西亚人民之声则发文告表示,欢迎政府废除国安法令。人民之声指,该法自2012年7月落实以来,被扣留者多达1600人。尽管前朝政府保证不滥权,但是该组织仍记录下无数在拘留期间被酷刑折磨和缺乏公平审判的个案,情况如同1960内安法令下的扣留者遭遇。 “任何奉行法治的国家,都不会容许公平受审权利被剥夺。刑事诉讼法和扣押程序规范警方权力,理应成为他们查案和未审扣留前的基准。”人民之声强调,只有司法机构才有扣合和审前扣留的权力,而不是警察。 人民之声称,大马警方的执法过程也显示,作为现有刑事诉讼法的替代法案,国安法的存在没有必要性。因为过去6年,许多触犯刑事法典下第六章(反对国家)和第七章(与武装部队相关犯罪),以及2007年反贩卖人口和反贩运移民法令(ATIPSOM)的罪行,都能在刑事诉讼法找到对应条规。 相对下,国安法却可能被滥用,让被扣留者断绝与外界联系,由警官逼供,可能形成法治的破坏。 人民之声也促成政府在修法期间停止使用国安法。同时,要求所有在国安法、1959年防范罪案法令(POCA)、2015年反恐法(POTA)、1985年危险毒品法(特别防范措施)之下,被拘留的未成年人立即被释放,并让他们参与复苏计划。…

Bhutanese Prime Minister: Bhutan looks to Singapore for inspiration

The Bhutanese Prime Minister is on the final day (30 Nov) of…