The private information of more than 800,000 blood donors in Singapore was put online without authorisation by a Health Sciences Authority (HSA) vendor.
The database contained information such as name, NRIC, gender, blood type and dates of blood donations and did not contain other sensitive, medical or contact information, the HSA said in a statement on Friday (15 March).
The authority said preliminary findings show that a cybersecurity expert discovered the vulnerability and alerted the Personal Data Protection Commission on Wednesday.
HSA then contacted the vendor, Secur Solutions Group (SSG), to disable access to the database, and made a police report.
It noted that the cybersecurity expert had told the HSA that he does not intend to disclose the data that he had accessed, and is working with the agency to delete the information.
Preliminary findings by HSA’s review of the database show that no unauthorised person other than the cybersecurity expert had accessed the database.
HSA had provided the blood donors’ data to SSG for updating and testing purposes. The vendor placed the data on a server that was accessible via the Internet on 4 January without putting adequate safeguards to prevent unauthorised access.
SSG did so without the HSA’s knowledge and approval, and that the action was against the vendor’s contractual obligations, the HSA said.
The leak comes less than two months after the Ministry of Health (MOH) announced the online leak of confidential data belonging to 14,200 HIV-positive individuals and 2,400 others who were identified through contact tracing.
American citizen Mikhy K Farrera Brochez, 34, was fingered as the culprit behind the leak.
In July last year, the MOH announced that health records of 1.5 million Singaporeans, including Prime Minister Lee Hsien Loong, were stolen in a suspected state-sponsored attack, the country’s biggest ever data breach.
Related Singapore stories: