During the pandemic, a lot of entities took steps to collect information to try to limit the spread of COVID. Thomson Medical had a portal for visitors, but instead of the data being stored in a secured database, it was stored in both a secured database and one that could be accessed by the public. The failure to have realized that and corrected it pre-launch merited some response, but it appeared that no one’s data had been accessed and the data was not particularly sensitive data like diagnosis, treatment, etc. As a result, the Commissioner decided to impose a corrective plan in lieu of a monetary penalty.
Directions were issued to Thomson Medical to conduct scan of the web to ensure no publication of affected personal data online and to include in the review of its application deployment process, measures such as the arrangements for security testing and the implementation of data retention policy. This is pursuant to a data breach incident from an unsecured Health Declaration Portal which enabled public access to visitors’ personal data.
[…]
The Commission’s investigations revealed that the affected CSV file contained the personal data of 44,679 of the Organisation’s visitors, including the date and time of visit, temperature, type of visitor (purpose of visit), name of visitor, name of newborn, contact number, NRIC/FIN/passport number, doctor/clinic name or room visiting, and answers to a health declaration questionnaire (which included a declaration by the visitor that he/she did not have any symptoms or
recent exposure to the Covid-19 virus).
Read more about the incident and decision at PDPC.