SINGAPORE: The HIV-positive status of 14,200 people – along with confidential information such as their identification numbers and contact details – has been leaked online by an "unauthorised person", the Ministry of Health (MOH) said on Monday (Jan 28).
The records were those of 5,400 Singaporeans diagnosed with HIV from 1985 to January 2013 and 8,800 foreigners, including work and visit pass applicants and holders, diagnosed with HIV from 1985 to December 2011.
The leaked information included their names, identification numbers, phone numbers, addresses, HIV test results and medical information. The details of another 2,400 of their contacts – identified through contact tracing – up to May 2007 were also leaked, MOH said in a press release.
At a media briefing held on Monday to shed light on the matter, Permanent Secretary of Health Chan Heng Kee said that of the 5,400 Singaporeans whose details were leaked, 1,900 have died. Of those living, 90 per cent are male, MOH said.
The information was leaked by and is still in the possession of Mikhy K Farrera Brochez, an HIV-positive American who lived in Singapore from 2008. He was convicted of numerous fraud and drug offences, as well as lying to the Ministry of Manpower about his HIV status, the health ministry said.
Brochez was remanded in prison in June 2016, sentenced to 28 months' jail and deported from Singapore in April 2018.
The HIV registry contains information on individuals diagnosed with HIV, a notifiable disease under the Infectious Diseases Act. The ministry said it uses the registry to monitor the HIV infection situation, conduct contact tracing and assess disease prevention and management measures.
“While access to the confidential information has been disabled, it is still in the possession of the unauthorised person, and could still be publicly disclosed in the future,” MOH said. “We are working with relevant parties to scan the Internet for signs of further disclosure of the information.
“We are sorry for the anxiety and distress caused by this incident. Our priority is the well-being of the affected individuals,” the ministry added.
READ: ‘I am sorry’: Gan Kim Yong says health ministry providing support to those affected by data leak
“We appeal to members of the public to notify MOH immediately should they come across information related to this incident, and not further share it.”
MOH has been "progressively contacting" people who might have been affected by the leak and said that as of 1pm on Monday, 900 had been approached.
BROCHEZ WAS PARTNER OF SINGAPOREAN DOCTOR
Brochez used his Singaporean doctor partner's blood sample to pass blood tests so that he could work in Singapore, the health ministry said.
His partner, Ler Teck Siang, was the head of MOH’s National Public Health Unit from March 2012 to May 2013. Prior to resigning in January 2014, Ler had access to the HIV registry as required for his work, the ministry said.
Ler is believed to have mishandled the information and did not comply with policies on the handling of confidential information.
MOH said it lodged a police report against Brochez in May 2016, when it received information that he had confidential information that appeared to be from the HIV registry. Brochez and Ler’s properties were searched, and relevant material seized and secured by the police.
Two years later in May 2018, after Brochez had been deported from Singapore, the ministry received information that Brochez still had part of the records. The information did not appear to have been disclosed publicly. MOH lodged another police report, and contacted the affected individuals.
On Jan 22 this year, MOH was notified by the police that Brochez may still have more information from the HIV registry, and had leaked it online.
The ministry verified that the leaked information matched its registry’s records up to January 2013. MOH said it then worked with “relevant parties” to disable access to the information.
Mr Chan said MOH did not make it public earlier that Brochez had the data because the most important consideration was whether it is in the people's interest and their well-being.
"In a case where the information is more contained, we will take a more conservative approach given that we do know that the persons in this registry would have concerns about a public announcement," he said.
Brochez is currently under police investigation, and Singapore authorities are seeking assistance from their foreign counterparts, MOH said, without specifying any country.
In June 2016, Ler was charged for offences under the Penal Code and the Official Secrets Act (OSA). In September 2018, he was convicted of abetting Brochez to commit cheating, and also of providing false information to the police and MOH, and sentenced to 24 months’ jail. His appeal is scheduled to be heard in March this year.
Ler was also charged under the OSA for failing to take reasonable care of confidential information on those who are HIV positive. This charge is pending before the courts.
“MOH takes a grave view of such matters, and will not hesitate to take stern action against staff and other individuals who abuse their authority and access to confidential information, or fail to handle such information in a proper manner,” the ministry said.
Ler, who is on bail pending his appeal, remains registered as a doctor, MOH said.
WARNING AGAINST SHARING
The Singapore Police Force warned people against sharing any of the leaked information online.
“We are seeking the assistance of our foreign counterparts in our investigations. It is inappropriate to comment on the case further as investigations are ongoing," it said.
"The police would like to remind the public that it is an offence under the OSA for any person to be in possession of, communicate or use any of the confidential data that may have been disclosed.
"Police will not hesitate to take stern action, including prosecution, against those who have breached the OSA. A person found guilty of the wrongful possession, communication or use of confidential data shall be liable to a fine not exceeding S$2,000, and to imprisonment for a term not exceeding two years.”
NEW SAFEGUARDS FOR DISEASE REGISTRIES
Since 2016, new safeguards against the mishandling of information by authorised staff have been put in place, MOH said.
A two-person approval process to download and decrypt registry information was implemented to ensure that the data cannot be accessed by a single person. A workstation specifically configured and locked down to prevent unauthorised information removal was designated for the processing of sensitive information from the HIV registry.
The use of unauthorised portable storage devices on official computers was also disabled by MOH in 2017, as part of a government-wide policy.