Singapore health ministry under global media spotlight for HIV data leak

Singapore Ministry of Health is garnering global media attention with several notable international media outlets such as The Wall Street Journal, BBC, Reuters, Bloomberg, CNN and South China Morning Post all carrying the news of confidential information of approximately 14,200 individuals diagnosed with HIV has been illegally disclosed online. This is the second major security breach in Singapore where in July last year, a breach had occurred in the SingHealth system through a cyberattack that infiltrated the SingHealth database containing over 1.5 million patient personal particulars.

MOH shared, in a press statement, that 14,200 individuals diagnosed with HIV up to January 2013, and 2,400 of their contacts, is in the possession of an unauthorised person. While access to the confidential information has been disabled, MOH added that the data acquired could still be publicly disclosed in the future. It is currently working with relevant parties to scan the Internet for signs of further disclosure of the information.

The incident was first brought to light on 22 January, when the police notified MOH of disclosed information from MOH's HIV Registry. The records were those of 5,400 Singaporeans diagnosed with HIV up to January 2013 and 8,800 foreigners diagnosed with HIV up to December 2011. The information included their name, identification number, contact details (phone number and address), HIV test results and related medical information. The name, identification number, phone number and address of 2,400 individuals identified through contact tracing up to May 2007 were also included. MOH has since contacted the affected individuals to notify of such a leak.

The confidential information is supposedly leaked by a male US citizen, Mikhy K Farrera Brochez, who was residing in Singapore on an employment pass, between January 2008 and June 2016. He was a partner of Singaporean doctor, Ler Teck Siang. As the head of MOH’s National Public Health Unit (NPHU) from March 2012 to May 2013, Ler had authority to access information in the HIV Registry as required for his work.

The incident is said to have arisen from the mishandling of information by Ler, who is suspected of not having complied with the policies and guidelines on the handling of confidential information. He resigned in January 2014, and was charged in court in June 2016 for offences under the Penal Code and the Official Secrets Act (OSA). In September 2018, Ler was convicted of abetting Brochez to commit cheating, and also of providing false information to the police and MOH.

He was sentenced to 24 months’ imprisonment but appealed, and his appeal is scheduled to be heard in March 2019. In addition, Ler has been charged under the OSA for failing to take reasonable care of confidential information regarding HIV-positive patients. Ler’s charge under the OSA is pending before the courts.

Meanwhile, Brochez was remanded in prison in June 2016 and was convicted of numerous fraud and drug-related offences in March 2017, and sentenced to 28 months’ imprisonment. The fraud offences were in relation to Brochez lying about his HIV status to the Ministry of Manpower, in order to obtain and maintain his employment pass, furnishing false information to police officers during a criminal investigation, and using forged degree certificates in job applications. Upon completing his sentence, Brochez was deported from Singapore and currently remains outside Singapore. He is currently under police investigation for various offences, and the authorities are seeking assistance from its foreign counterparts.

Statistics by Meltwater show that social sentiment around the data leak has been neutral (66%) thus far. However, media exposure has seen a rise today as compared to two days ago. Among the list of trending topics included "Singapore", "positive status", leaked online", "US citizen leaks data", "contact details", "HIV patients", "online", "records" and "people".

This comes as the second major security breach in Singapore. In July last year, consumers were notified of a breach that had occurred in the SingHealth system. The major cyberattack on 4 July infiltrated the SingHealth database containing over 1.5 million patient personal particulars and outpatient dispensed medicines.

According to a joint press release from the Ministry of Communications and Information and Ministry of Health, information on approximately 160,000 outpatient dispensed medicines were retrieved. However, it was not tampered with. SingHealth also took measures to create a temporary surfing network for its staff to work on and other public healthcare institutions will be taking the action as well. The statement added that no financial data, medical records and personal data of patients were accessed and it has taken measures to notify all patients along with an apology.