The personal information of about 808,201 individuals who have donated or attempted to donate blood in Singapore since 1986 was left exposed online by a vendor of the country’s Health Science Authority.
Securs Solutions was working with an HSA database containing registration-related information. The data was placed on a public-facing, unsecured database on January 4. According to officials, the vendor failed to place adequate safeguards on the server to prevent unauthorized access.
“This was done without HSA’s knowledge and approval and was contrary to its contractual obligations with HSA,” officials said in a statement.
A cybersecurity researcher discovered the vulnerability and notified the vendor. Access to the database was removed soon after the error was reported.
The database contained names, identification numbers, the number of donations, dates of the last three donations, and for some patients, blood type, weight, and height were included. The database did not contain any other sensitive, medical, or contact data.
HSA reported the incident to police. Officials said the researcher does not intend to disclose the database contents and is working with them to ensure the data is deleted. The investigation has determined that the database was not accessed by any other unauthorized user.
This security incident is just the latest security lapse for the Singapore public sector in the last year. The data of 1.5 million SingHealth patients was hacked between August 2017 and July 2018, when it was finally discovered. And in recent months, the data of 14,200 individuals with HIV was compromised.
The inquiry into the SIngHealth breach ended in January, revealing a host of security flaws, including bad system management and a lack of employee training. Officials said they’re currently reviewing the country’s data protection to close security gaps and have since proposed new security guidelines to boost resilience.
Vendor breaches are far too common in the US healthcare sector, as well. Security researchers have noted that a strong data inventory, annual risk assessments, and detailed contracting can help shore up risks to covered entities.