This article has been migrated from an earlier version of the site and may display formatting inconsistencies.
Ms Cheng Li Hui
MP for Tampines GRC
Question No. 2719
To ask the Minister for Health in respect of the incident whereby blood donors’ personal data are compromised (a) whether there are further updates from the preliminary investigation; (b) what follow-up actions have been carried out with the cybersecurity expert who discovered the vulnerability; (c) whether there is a framework in place to ensure that vendors comply with safeguards to prevent unsafe practices and unauthorised access to data; and (d) what measures are necessary to prevent future occurrences and to reassure future blood donors.
Dr Chia Shi-Lu
MP for Tanjong Pagar GRC
Question No. 2726
To ask the Minister for Health in light of the exposure of blood donors’ personal data online (a) whether the Ministry will consider streamlining the procurement of IT services across its departments, statutory boards, hospitals and clinics to reduce personal data access by multiple vendors; and (b) whether there are factors causing the public healthcare sector to be particularly vulnerable to IT incidents.
Mr Desmond Choo
MP for Tampines GRC
Question No. 2732
To ask the Minister for Health in light of the cyber breach involving 800,000 blood donors (a) how will the Ministry improve its overall cyber security measures; and (b) how will its security framework also extend to its providers and vendors.
Mr Dennis Tan Lip Fong
Non-Constituency MP
Question No. 2740
To ask the Minister for Health in respect of the data leak of more than 800,000 blood donors’ personal information from the database of the Health Sciences Authority (a) why was the data placed on a server accessible through the Internet on 4 January 2019; (b) how did the unnamed cyber security consultant gain access to the data; (c) why did he keep the data; and (d) whether his conduct was in breach of any law.
Assoc Prof Daniel Goh Pei Siong
Non-Constituency MP
Question No. 2744
To ask the Minister for Health regarding the data leak of more than 800,000 blood donors’ personal information (a) whether the Health Sciences Authority is aware of any unauthorised access to the database during the nine-week period of exposure on the Internet; and (b) whether such incidents are being investigated.
Mr Png Eng Huat
MP for Hougang
Question No. 2745
To ask the Minister for Health (a) whether there has been any compensation or payment made to the cybersecurity expert who discovered and downloaded the unsecured HSA database containing the personal information of more than 800,000 blood donors; and (b) whether it is a condition set by the said expert that his identity should remain secret.
Ms Rahayu Mahzam
MP for Jurong GRC
Question No. 2751
To ask the Minister for Health in respect of the incident whereby personal information of more than 800,000 blood donors were improperly put online by the IT vendor of the Health Sciences Authority (a) what are the possible effects of such disclosure to the blood donors affected and what measures can be put in place to minimise these effects; (b) what structures will be put in place to ensure that such an incident can be avoided in the future; and (c) what penalties will be imposed to address any improper action by relevant parties that led to the improper disclosure.
Oral Reply
1 Members of this House have asked for further updates on the preliminary investigation of the data leak of blood donors’ personal information from the database of the vendor appointed by the Health Sciences Authority (or HSA).
The IT Vendor Secur Solutions Group Pte Ltd
2 Secur Solutions Group Ptd Ltd (or Secur Solutions) is an independent vendor of HSA appointed to maintain and enhance the queue management system for blood donors.
3 On 13 March 2019, a foreign cyber security expert had informed the Personal Data Protection Commission (PDPC) that the registration-related information of blood donors could be accessed because of a vulnerability in the server used and managed by Secur Solutions. HSA immediately worked with Secur Solutions to disable access to the server.
Re-cap of Events
4 On 30 March, Secur Solutions issued a statement to provide more information on this incident. Investigations are continuing, and a further update will be provided when available.
The Cybersecurity Expert
5 Members have also asked questions relating to the cybersecurity expert. The cybersecurity expert works for a company that specialises in identifying and reporting vulnerabilities of IT systems. He was not employed or engaged by HSA or MOH. He informed HSA on 16 March 2019 that he had deleted his copy of the data and has no intention of disclosing its contents. He had never made any request for compensation or payment. And we will not be taking any legal action against him because he had reported the vulnerability to us straight away, and had no intention to keep, use or otherwise expose the contents of the database, and has not done so.
Steps taken to prevent similar occurrence
6 Members have asked what additional steps MOH and HSA can take to reduce the risk of data mismanagement.
7 The measures to be taken to prevent a similar occurrence will be shaped by what specific findings arise from the ongoing investigations into the incident.MOH and its agencies will also conduct a review on the lifecycle management of the data being handled by existing IT vendors.
8 In addition, the HSA Board has set up a Board Committee chaired by Mr Max Loh, Chairman of HSA Board’s Audit and Risk Committee. The Board Committee also includes members from the Government Technology Organisation (or GOVTECH). It will review HSA’s current policies and processes for managing sensitive data, and recommend measures.
9 Yesterday, the Government also announced that the Prime Minister has also convened a Public Sector Data Security Review Committee, chaired by Deputy Prime Minister Teo Chee Hean, to conduct a comprehensive review of data security practices across the entire Public Service. MOH and its agencies will extend our fullest cooperation to the work of the Committee.
Streamlining of IT Procurement
10 Dr Chia Shi-Lu has asked if the Ministry should consider streamlining the procurement of IT services across its departments, statutory boards and public hospitals to reduce personal data access by multiple vendors. We agree, and have done so progressively in the public healthcare family, where we are able to do so.
Thank you.