SINGAPORE — While blood donors called on the Health Sciences Authority (HSA) to get its act together and step up its protection of personal data, they said that the latest cyber-security incident to hit the healthcare industry will not stop them from donating blood.

On Friday (March 15), HSA revealed that the personal data of more than 808,000 donors ended up on the Internet in January and was left there for nine weeks by its vendor, Secur Solutions Group.

It was taken down on Wednesday and secured, after an overseas-based cyber-security expert discovered the vulnerability and alerted the Personal Data Protection Commission.  

Blood donor Andrew Wilfred, 33, who makes a donation every three months, said that he would continue to do so despite the incident.

The public servant said that donating blood is an important “civic duty” and patients undergoing surgeries in hospitals need it. “I used to work in hospital administration and I know how much blood is used on a regular basis,” he said.

“You just do it because it’s the right thing to do and it’s not a huge effort.”

He acknowledged, though, that he was concerned about the prospect of his personal data being compromised and urged the HSA to ensure that external vendors do not have access to donors’ personal data, such as their identity-card numbers.

Researcher Lim Dixun, 26, last donated blood three years ago, but said that she is open to the practice again if she comes across a donation drive.

To her, it is an act of goodwill and the latest security breach should be seen as a separate matter. “In this case, it’s not a matter of life and death. But in the case of donating blood, it might be,” she said.

“I’m putting faith in the HSA that it will step up its security levels and ensure that this will not happen again,” she added.

While the implications are not severe in this instance given that the data did not fall into the wrong hands, she said she may “think twice” about donating if her data had been misused.

She called on the HSA to be accountable to donors, and said that the authority could have contacted them via email or text message to tell them about the incident. So far, the HSA has published a letter addressed to donors on its website.

Business owner Shahroull Khairoullah, 27, who donates blood every three or four months, said that the information being compromised did not matter much to him.

He donates blood because of its health benefits, saying it promotes the recovery of new blood, making it easier for his heart to regulate blood flow. It also helps those in need, he added.

He urged the HSA to strengthen its cyber security. “This is not the first time (something like that has happened), and I’m not sure it’s going to be the last,” Mr Shahroull said.

HSA’s chief executive officer Mimi Choong has apologised for the lapse by its vendor and stressed that its centralised blood bank system was unaffected.  

Presently, regular blood donors make up just 1.84 per cent of Singapore’s population.

Dr Choong said: “We value their contributions and sincerely hope the improper handling of the registration-related information by our vendor does not deter them from continuing their donations.”

MORE ABOUT THE INCIDENT

Secur, which was responsible for maintaining the blood bank’s systems, mishandled the personal data of 808,201 individuals who registered to donate blood at HSA’s blood banks.

The information included their names, identity-card numbers, gender and dates of their last three blood donations.

In some cases, it included the donors’ blood type, height and weight.

Secur was updating the databases of two of HSA’s blood banks, but placed the information on an unsecured database in an Internet-facing server. This database, however, was accessible only by those who have downloaded a software and authorisation was required.

After being alerted, the HSA said that it worked immediately with Secur to disable access to the database. It also made a police report about the data being exposed.

Preliminary findings from a review of database logs showed that only the cyber-security expert accessed the database.

The HSA is in contact with the expert, whom it described as a white-hat cyber-security professional “of certain standing”. White-hat hackers are computer-security specialists whose role is to break into protected systems to test their security, before hackers with malicious intent strike.

The expert, who was not identified, has assured the HSA that he does not intend to disclose the database’s contents.

The authority is also understood to be studying its options in dealing with Secur, which could include terminating its contract.

Investigations are continuing.