The personal information of more than 800,000 people who have donated or tried to donate blood in Singapore since 1986 was leaked online and accessible for over 2 months.
The information was improperly put online by an IT vendor engaged by the Health Sciences Authority.
This was disclosed today by the HSA, which is in charge of the national blood bank.
The database contained registration information such as their name, NRIC number, gender, number of blood donations and the dates of their last 3 blood donations. Some donors’ blood type, height and weight were also included in the database.
The HSA said that it was first alerted to the breach on Wednesday (13 Mar).
A foreign cyber security expert discovered the breach a day earlier (12 Mar) and alerted the Personal Data Protection Commission.
Findings at this stage suggest that the cyber security expert was the only person to have accessed the information.
After it was made aware of the breach, the HSA instructed its vendor, Secur Solutions Group, to disable access to the information.
HSA chief executive Dr Mimi Choong has apologised for the lapse.
Donors’ data had been provided to the vendor for updating HSA’s Westgate Tower and Woodlands blood banks’ databases.
It was placed on a server accessible through the Internet on 4 Jan without adequate safeguards to prevent unauthorised access.
The HSA said that this was done without its knowledge and approval, and was against the vendor’s contractual obligations.
This latest incident is the 3rd publicly-disclosed healthcare-related IT lapse to shake Singapore in the past 3 months.