The personal information of more than 800,000 Singapore blood donors that was exposed earlier this year may have been accessed illegally and possibly stolen, it has emerged.
The Health Sciences Authority (HSA) had earlier said that the data that was leaked on an unsecured server by its vendor was found by a cybersecurity expert but not accessed by anyone else.
Secur Solutions Group, the vendor, now says that the server where the data was misplaced was accessed suspiciously from several IP addresses, Channel NewsAsia reported yesterday.
This occurred between October 22, 2018 and March 13, 2019, it said in a statement to the media outlet. As a result, it could not rule out that donors’ information was exfiltrated.
This information includes NRIC numbers, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight.
Though the database contained no medical or contact information, the new development will raise further questions on how well data is protected by government agencies.
This is the third high-profile data leak to be made public in Singapore in less than a year.
In January this year, news came that 14,200 HIV patients had their personal details exposed. In July last year, the country faced its largest data breach when it emerged that 1.5 million people had their information stolen from the SingHealth healthcare group.
Yesterday, the HSA said in a statement that the centralised blood bank system, which is not connected to the vendor’s server, remains secure.
The government agency also said its vendor was is in breach of contractual obligations. Police investigations are continuing, it noted, adding that it would decide on the steps to take, once the investigations are concluded.