More than 800,000 blood donors in Singapore may potentially have had their personal information illegally accessed and stolen. This was due to a mishandling of personal data by Secur Solutions Group (SSG), a vendor hired by the Health Sciences Authority (HSA).
The information, which includes the full name, NRIC numbers and other details of the blood donors since 1986 was left on an unsecured online database from October 2018. A cyber security expert discovered its vulnerability more than two months later, on 12 March 2019, and alerted the Personal Data Protection Commission.
On 13 March, the SSG secured and removed the server off the internet. They promptly issued an apology for their actions, which had breached the formal contract they had with HSA. A preliminary investigation by HSA determined that apart from the security expert, there were no other breaches of the server.
Upon further investigation, SSG revealed on 30 March that several other IP addresses were discovered to have accessed the database, and could have potentially extracted the information.
The police is currently working together with SSG, which has engaged external cyber-security experts to carry out further forensic analysis on the matter. Further action will be taken against SSG after the investigations have concluded due to its contractual breach.
This is the third healthcare related cyber incident to have affected Singapore in the recent months. The first was the unauthorised release of confidential information of more than 14,000 HIV positive individuals to the public. The second followed a month later, in February, when a computer error resulted in inaccurate healthcare subsidies for more than 7000 Singaporean patients.