SINGAPORE - The personal information of more than 800,000 blood donors which was put online improperly for over two months was accessed illegally and possibly stolen, a Health Sciences Authority (HSA) vendor responsible for the mistake said on Saturday (March 30).
It was initially thought that only a foreign cyber-security expert, who spotted the vulnerability in the server that stored the data, had accessed it.
However on Saturday, Secur Solutions Group (SSG), an independent vendor of HSA, said its server was also accessed suspiciously from several other IP addresses between October and March this year. It did not say whether these addresses were local or foreign.
A database containing the personal information of blood donors was uploaded to this server around October last year.
This information included the names, NRIC numbers, gender and number of donations of people who have donated or registered to donate blood in Singapore since 1986.
In some cases, donors' blood type, height, weight and the dates of their last three donations were also included.
On March 13, HSA told SSG that a US cyber-security expert had found that the registration-related information of donors could be accessed because of a vulnerability in the server used by SSG.
The server was immediately cut off from the Internet and secured, said SSG.
The vendor engaged external cyber-security professionals, KPMG in Singapore, to undertake forensic analysis. It also initiated a thorough review of its IT systems.
Preliminary examination had found that the unauthorised access was made by only the US cyber-security expert, who said he did not intend to disclose the database and was working with the authority to delete the information.
But subsequent forensic analysis revealed that the server was also accessed suspiciously from several other IP addresses between Oct 22, 2018, and March 13 this year.
SSG said in its statement: "Based on this new information, SSG cannot exclude the possibility that registration-related information of donors on the server was exfiltrated."
The vendor added that the database contains no other sensitive, medical or contact information.
SSG said that there had also been attacks on the same server in 2017. However, these were unrelated to the current incident, and there was no evidence to suggest that any HSA data was compromised.
It is continuing its investigations into the matter, and is cooperating fully with the police and HSA.
It also apologised to all the affected blood donors.
In a statement, HSA said that it was aware of the situation, and added that it takes a serious view of the matter, which the police are investigating.
The agency said that SSG is in breach of its contractual obligations and it will decide on what steps it should take regarding SSG once investigations are concluded.
HSA added that its centralised blood bank system, which is not connected to the SSG server, remains secure.
This is the third IT incident to strike the healthcare sector in recent months.
In January, the Ministry of Health (MOH) revealed that the confidential information of 14,200 HIV-positive individuals had been leaked online by Mikhy Farrera-Brochez, an American who had been living in Singapore.
And in February, MOH said that a computer error had resulted in 7,700 people receiving inaccurate healthcare subsidies when they applied for or renewed their Community Health Assist Scheme cards in September and October last year.
This article was first published in The Straits Times. Permission required for reproduction.