HSA blood donor data leak: When ‘sorry’ may not be enough

In yet another data leak, 808,201 blood donors in Singapore had their personal details exposed in January this year, after a Health Sciences Authority (HSA) database was placed on an Internet-facing server.

Blood donors had their NRIC, gender, number of blood donations, dates of the last three blood donations, and in some cases, blood type, height and weight, leaked on the Net for two months until a cyber-security expert found the loophole and informed the authorities on March 13.

Revealing the leak on March 15, the HSA said that no other unauthorised person besides the cyber-security expert had accessed the data.

That’s the good news. The bad news is that this is the third such data leak to be made public in Singapore in less than a year, which raises questions of how well private citizen data is being protected.

In January this year as well, news came that 14,200 HIV patients had their personal details exposed.

In July last year, country faced its largest data breach when it emerged that 1.5 million people had their information stolen from the SingHealth healthcare group.

So far, none of the people affected have had any practical recourse.

It’s not clear if they have been advised to mitigate the problem, say, by obtaining identity theft insurance or learning how to combat online fraud.

READ ALSO:

User logins, passwords from S’pore govt agencies ‘on sale on dark web’

Data breaches dent Singapore’s image as a tech innovator

While SingHealth and its technology vendor were fined a combined S$1 million by the government privacy watchdog, the Ministry of Health where the HIV patient data was stolen is exempt from the same penalties.

Now, the data leak at the HSA is likely to have the same outcome. The government agency may not be fined because it does not have to face the same music as private companies.

In a letter to blood donors last week, its chief executive officer, Dr Mimi Choong, apologised for the leak, which she attributed to an external vendor that had placed the unsecured database on an Internet-facing server.

Well, at least, HSA has been prompt to notify donors as well as announce the leak publicly, despite it being seemingly contained.

Public confidence is paramount here. People should be able to donate blood without worrying about exposing their personal data.

This contrasts with how MOH handled the HIV data leak. It had known about that breach for two years but felt it had contained the leak so it didn’t go public with the news until much later.

That can’t be the way to win confidence from users in a smart nation.

Government agencies, as these recent problems have shown, have to simply do better.

While the SingHealth hack was attributed to a sophisticated hacker group backed by a nation state, the HIV data leak and this HSA one are clearly down to a lack of adequate cyber security measures.

For the HIV case, the data was downloaded onto a USB drive, which should not have been allowed on machines holding sensitive data.

In this HSA case, the database was not secure and it was placed by a third-party vendor on an Internet-facing server. Both cases are clearly preventable.

Sure, there should not be a blame culture at a time when the smallest mistakes can expose one to cyber security issues, such is the complexity of IT systems today.

Yet, these two recent cases show that measures you expect the government to take to protect confidential data are not there. That is a systemic issue that has to be tackled.

It’s also rather bizarre that the government can fine private entities, like karaoke operators or other small businesses, princely sums for losing their data, when its own agencies are not taking the expected steps to protect citizens’ data.

In 2016, K Box had to pay a fine of S$50,000 for exposing 317,000 customer names, contact numbers and addresses after it suffered a cyber attack.

Its IT vendor was fined S$10,000 for simply not updating its systems to more secure versions.

Now, what is the penalty for a government agency that has just leaked more sensitive data belonging to more than 800,000 people?

And that’s down to a vendor taking an unsecured database and placing it on a server connected to the Internet.

Beyond saying sorry in future, the government as a whole has to demonstrate more rigour in its cyber security efforts, by conducting more regular IT audits and setting up data protection software and practices across its agencies.

It has beefed things up before. Okay, it took a data breach on SingPass in 2014 before security was finally strengthened with two-factor authentication.

But today, the system for logging into government e-services has been revamped, bringing it up to date with the private sector.

So, the task is not an impossible one.

The more data that is out there means there will be a higher risk of data breaches in future. That’s a given.

However, there is no reason not to have tougher data protection measures. More needs to be done, as these two recent lapses now show.

ABOUT THE AUTHOR:

Alfred Siew is the editor of Techgoondu.com, where this commentary first appeared.