Oral Answer

Remedial Actions Following Blood Donors' Personal Data Leak

1 April 2019 · Ministry of Health

Speakers

Png Eng Huat Sylvia Lim Dennis Tan Lip Fong Rahayu Mahzam Edwin Tong Chun Fai (Senior Minister of State for Health and Law) S Iswaran (Minister for Communications and Information and Minister-in-charge of Trade Relations) Desmond Choo Cheng Li Hui Daniel Goh Pei Siong Chia Shi-Lu

Summary

This question concerns the personal data leak of over 800,000 blood donors from a server managed by the Health Sciences Authority's vendor, Secur Solutions Group Ptd Ltd. Members of Parliament inquired about investigation updates, the cybersecurity expert’s conduct, and the strengthening of frameworks to ensure vendor compliance with data safeguards. Senior Minister of State for Health Mr Edwin Tong Chun Fai clarified that no legal action would be taken against the expert, who reported the vulnerability and deleted the data. He announced that an HSA Board Committee and a Public Sector Data Security Review Committee have been established to conduct comprehensive reviews of data security practices. Furthermore, the Ministry of Health will review vendor data life-cycle management and continue streamlining IT procurement to mitigate future risks.

Transcript

6 Miss Cheng Li Hui asked the Minister for Health in respect of the incident whereby blood donors' personal data are compromised (a) whether there are further updates from the preliminary investigation; (b) what follow-up actions have been carried out with the cybersecurity expert who discovered the vulnerability; (c) whether there is a framework in place to ensure that vendors comply with safeguards to prevent unsafe practices and unauthorised access to data; and (d) what measures are necessary to prevent future occurrences and to reassure future blood donors.

7 Dr Chia Shi-Lu asked the Minister for Health in light of the exposure of blood donors' personal data online (a) whether the Ministry will consider streamlining the procurement of IT services across its departments, statutory boards, hospitals and clinics to reduce personal data access by multiple vendors; and (b) whether there are factors causing the public healthcare sector to be particularly vulnerable to IT incidents.

8 Mr Desmond Choo asked the Minister for Health in light of the cyber breach involving 800,000 blood donors (a) how will the Ministry improve its overall cybersecurity measures; and (b) how will its security framework also extend to its providers and vendors.

9 Mr Dennis Tan Lip Fong asked the Minister for Health in respect of the data leak of more than 800,000 blood donors' personal information from the database of the Health Sciences Authority (a) why was the data placed on a server accessible through the Internet on 4 January 2019; (b) how did the unnamed cybersecurity consultant gain access to the data; (c) why did he keep the data; and (d) whether his conduct was in breach of any law.

10 Assoc Prof Daniel Goh Pei Siong asked the Minister for Health regarding the data leak of more than 800,000 blood donors' personal information (a) whether the Health Sciences Authority is aware of any unauthorised access to the database during the nine-week period of exposure on the Internet; and (b) whether such incidents are being investigated.

11 Mr Png Eng Huat asked the Minister for Health (a) whether there has been any compensation or payment made to the cybersecurity expert who discovered and downloaded the unsecured HSA database containing the personal information of more than 800,000 blood donors; and (b) whether it is a condition set by the said expert that his identity should remain secret.

12 Ms Rahayu Mahzam asked the Minister for Health in respect of the incident whereby personal information of more than 800,000 blood donors were improperly put online by the IT vendor of the Health Sciences Authority (a) what are the possible effects of such disclosure to the blood donors affected and what measures can be put in place to minimise these effects; (b) what structures will be put in place to ensure that such an incident can be avoided in the future; and (c) what penalties will be imposed to address any improper action by relevant parties that led to the improper disclosure.

The Senior Minister of State for Health (Mr Edwin Tong Chun Fai) (for the Minister for Health): Mr Speaker, with leave, may I take Question Nos 6 to 12 together?

Mr Speaker: Yes, please.

Mr Edwin Tong Chun Fai: Thank you. Members of this House have asked for further updates on the preliminary investigation of the data leak of blood donors' personal information from the database of the vendor appointed by the Health Sciences Authority or HSA.

Secur Solutions Group Ptd Ltd or Secur Solutions is an independent vendor of HSA appointed to maintain and enhance the queue management system for blood donors.

On 13 March 2019, a foreign cybersecurity expert had informed the Personal Data Protection Commission (PDPC) that the registration-related information of blood donors could be accessed because of a vulnerability in the server used and managed by Secur Solutions. HSA immediately worked with Secur Solutions to disable access to the server.

On 30 March, Secur Solutions issued a statement to provide more information on this incident. Investigations are continuing and a further update will be provided when available.

Members have also asked questions relating to the cybersecurity expert. The cybersecurity expert works for a company that specialises in identifying and reporting vulnerabilities of IT systems. He was not employed or engaged by HSA or MOH. He informed HSA on 16 March 2019 that he had deleted his copy of the data and has no intention of disclosing its contents. He had never made any request for compensation or payment, and we will not be taking any legal action against him because he had reported the vulnerability to us straightaway, and had no intention to keep, use or otherwise expose the contents of the database, and has not done so.

Members have asked what additional steps MOH and HSA can take to reduce the risk of data mismanagement.

The measures to be taken to prevent a similar occurrence will be shaped by what specific findings arise from the on-going investigations into the incident. MOH and its agencies will also conduct a review on the life-cycle management of the data being handled by existing IT vendors.

In addition, the HSA Board has set up a Board Committee chaired by Mr Max Loh, Chairman of HSA Board's Audit and Risk Committee. The Board Committee also includes members from the Government Technology Organisation or GovTech. It will review HSA's current policies and processes for managing sensitive data, and recommend measures.

Yesterday, the Government also announced that the Prime Minister has also convened a Public Sector Data Security Review Committee, chaired by Deputy Prime Minister Teo Chee Hean, to conduct a comprehensive review of data security practices across the entire Public Service. MOH and its agencies will extend our fullest cooperation to the work of the Committee.

Dr Chia Shi-Lu has asked if the Ministry should consider streamlining the procurement of IT services across its departments, statutory boards and public hospitals to reduce personal data access by multiple vendors. We agree, and have done so progressively in the public healthcare family, where we are able to do so.

Mr Speaker: Minister Iswaran, I believe you had asked to take the supplementary questions after responses to the next two Parliamentary Questions (PQs)?

The Minister for Communications and Information (Mr S Iswaran): Yes.

Mr Edwin Tong Chun Fai: I can take the supplementary questions now if Members —

Mr Speaker: I believe the request is to take it altogether later. Ms Sylvia Lim.

Ms Sylvia Lim (Aljunied): Question No 13.