HIV data leak: Unanswered questions and information gaps remain

HIV data leak: Unanswered questions and information gaps remain

Ler Teck Siang and Mikhy Farrera Brochez
Dr Ler Teck Siang and his partner Mikhy Farrera Brochez are at the centre of the data leak of Singapore's HIV registry. (Photos: Faith Medical Group, Clark County Detention Centre/Mugshots.com)

SINGAPORE: In announcing the shocking news that the HIV-positive status of 14,200 people - along with other confidential information such as their identification numbers and contact details - has been leaked online, the authorities provided some background to the circumstances that led to the disclosure.

While an outline understanding of the complex series of events has emerged, unanswered questions and information gaps still remain. 

For instance, why did the authorities not make it public in May 2016 when it was known that the confidential information was in the hands of an "unauthorised person"? 

At a media briefing held on Monday (Jan 28), Permanent Secretary of Health Chan Heng Kee said the Ministry of Health (MOH) did not make it public earlier that Brochez had the data because the most important consideration was whether it was in the people's interest, and their well-being.

"In a case where the information is more contained, we will take a more conservative approach given that we do know that the persons in this registry would have concerns about a public announcement," he said.

READ: Gan Kim Yong says health ministry providing support to HIV sufferers affected by data leak

As the public awaits further details on the facts behind the case, some of the other key questions that will need to be addressed are as follows:

1. How did the data remain in the hands of "unauthorised" people after May 2016?

What we know: Director of the Communicable Diseases Division at the Ministry of Health (MOH) Associate Professor Vernon Lee said in Monday's briefing to the media that his ministry lodged a police report in May 2016, after receiving information that Mikhy Farrera Brochez was in possession of confidential information that appeared to be from the HIV registry. At the time, the properties occupied by Brochez and his partner Ler Teck Siang were searched by the police and all “relevant” material found was seized and secured, he said.

Further questioned as to whether it was fair to say that the police did not perform a complete search, thus leading to Brochez being able to retain some information and then leak it, Permanent Secretary of Health Chan, who was also part of the panel chairing the briefing, said: “I can’t comment on how he had this information that has just been exposed, but I can say that both Ler’s and Brochez’ properties were searched by the police and whatever relevant material then was seized.”

2. How many affected individuals were told in May 2018 that confidential information about them was in the hands of an unauthorised person?

What we know: Assoc Prof Lee said that in May 2018, MOH received information that Brochez still had part of the records he had in 2016. This was a month after Brochez finished serving a jail sentence for other offences and was deported from Singapore. 

MOH lodged a police report and contacted the affected individuals even though the information did not appear to have been leaked publicly, he said. When asked how many individuals were affected, Mr Chan said: “It was a very small number”, but did not elaborate.

READ: The leaking of Singapore’s HIV registry records and the hunt for Mikhy Farrera Brochez: A timeline

3. Where was Brochez deported to in April 2018 after serving his prison term?

What we know: Nothing was revealed about where Brochez was deported to after being released from prison. The Immigration and Checkpoints Authority (ICA) said they could not share the information because of “confidentiality reasons”.

Nothing was also said about whether the Singapore authorities were monitoring him after he left the country.

He is, however, known to have arrived in the US state of Kentucky by December 2018, when he was arrested and charged with third-degree criminal trespass.

His mother, Teresa King, had called the police after Brochez banged on the door of her home. He had previously been warned to stay away from the house in Winchester, Kentucky.

After he returned and refused to leave the property, Brochez was taken into custody and charged.

The 34-year-old has been ordered to return to the district court on Feb 18 to face the charge of criminal trespass.

The Singapore Police Force has said it is “seeking the assistance of our foreign counterparts” in its investigations, without naming the countries or organisations involved.

READ: American wanted in Singapore for HIV data leak, charged in US for trespassing

4. Why was the Official Secrets Act charge against Ler Teck Siang stood down?

What we know: Singaporean doctor Ler Teck Siang, who was head of MOH's National Public Health Unit, is believed to have passed the data to Brochez. Ler has faced a number of charges in court, but the one - issued in June 2016 - under the Official Secrets Act (OSA) for “failing to retain possession of a thumb drive” containing data from the HIV registry has been "stood down" - that is, put aside for the time being. 

MOH says that it is pending before the courts.

The Attorney General's Chambers (AGC) did not comment when asked why the charge was stood down. 

Lawyers told Channel NewsAsia that the decision on which charges to stand down or proceed with lies with the prosecution. 

Mr Eugene Thuraisingam pointed to an article in the Constitution which states: "The Attorney-General shall have power, exercisable at his discretion, to institute, conduct or discontinue any proceedings for any offence." 

"In other words, Article 35(8) vests wide discretion in the AG as public prosecutor in the conduct of criminal proceedings," said Mr Thuraisingam. "When an accused person is charged with multiple offences and decides to claim trial, prosecutorial discretion entails that the prosecution can decide which specific charges to proceed with at trial, and which charges to stand down." 

He added that the prosecution "is not required to give reasons for why they decide to proceed with certain charges and not others". 

Explaining the rationale for prosecutorial discretion, IRB Law partner Jeremy Cheong and IRB Law associate Mato Kotwani said: "Like all organisations, the prosecution has limited resources and cannot investigate and prosecute every matter that is reported." 

READ: HIV myths debunked

HOW DOES THE PROSECUTION DECIDE WHICH CHARGES TO STAND DOWN? 

Ms Tania Chin, partner at Withers KhattarWong, said the prosecution could stand down certain charges if the strengths or merits of the stood down charges are affected by the verdict or conclusion of the proceeded charges. 

In another scenario, if an accused person is convicted of the proceeded charges and sentenced, the sentence could be determined as an adequate deterrent and there would be less of a need to expend resources on the stood down charges. 

The prosecution could also consider how best they want to present their evidence in deciding which charges to stand down and proceed with first, said Ms Chin. 

The prosecution also may decide to withdraw a stood down charge after they secure a conviction for the proceeded charge, said IRB Law lawyers Mr Cheong and Mr Kotwani. 

They added that other factors that may influence a decision to stand down a charge include evidence given by a co-accused, or if further investigations or reports are necessary. 

Ms Chin of Withers KhattarWong added that the prosecution will simply inform the courts which charges they are standing down, and "nothing else is required from any other party before a charge can be successfully stood down". 

Asked about why certain cases with mixed charges for various offences are dealt with all at once while charges in other cases are dealt with separately, Withers KhattarWong partner Shashi Nathan said it is the prosecution's prerogative, and both situations commonly arise. 

"The length of time it takes for the prosecution to proceed with a charge depends on each case, with its own particular set of facts," he said. 

On how the prosecution could decide the sequence of charges to proceed on, Mr Thuraisingam said: "The easiest to prove are usually proceeded with first, in the absence of any other strategic reasons." 

WHAT HAPPENS WHEN A CHARGE IS STOOD DOWN? 

Ms Chin said there are three possible outcomes for stood down charges. 

The prosecution may proceed with the charge, withdraw it, or take the charge into consideration when sentencing, if the accused person pleads guilty to the stood down charge. 

Should the prosecution fail to convict the accused person in a trial with proceeded charges, they can choose to revive the stood down charges, said Mr Thuraisingam. 

"The accused person will then have to defend the previously stood down charges at trial or plead guilty to them, notwithstanding that he was acquitted for the charges which were initially proceeded with," he explained. 

"Of course in this scenario, the prosecution also retains the discretion to drop the previously stood down charges and not pursue them any further."

5. How was access to the confidential information disabled?

What we know: MOH said on Monday that it had “worked with the relevant parties to disable access” to the confidential data leaked on the Internet. 

It added that it is working with “relevant parties to scan the Internet for signs of further disclosure of the information”.  

It did not, however, disclose the identities of the relevant parties nor did it specify how the information was disabled. 

Acronis security researcher Ravikant Tiwari told Channel NewsAsia that such stolen information is generally uploaded on various hack forums and file-sharing sites such as Pastebin and Mega, and is usually hosted on Web servers overseas.  

Disabling access would require a joint effort from government organisations, Internet service providers and the wider tech industry, he said.  

Governments will need the help of tech partners to scan the Internet for the occurrence of such data, identify the server or servers the data are hosted on and the residing country, and issue a takedown request. 

If taking down a Web domain, this can be done at the domain registrar level, Mr Ravikant explained. Domain registrars, in general, are companies people turn to to create a website. The Computer Emergency Response Teams (CERTs) for the relevant countries would also be in contact during this time.  

“Having said that, taking down one website can’t solve the problem completely,” the researcher said. “Most probably it will reappear in other places, or could be copied and distributed by other people.” 

READ: HIV-positive individuals anxious, frustrated after MOH data leak

Another cybersecurity professional, Mr Dexter Ng, added that once the data hits the Dark Web, “there is no way to completely disable access”.  

“Cybercriminals as a practice make multiple copies, move and alter the data, which means complete removal of the data cannot be done,” said the CTO of bug bounty platform AntiHack.me. 

Acronis’ Ravikant added that unlike the Internet we know and use, the Dark Web is “not regulated and is decentralised, which means there is no authority or point of contact you can reach for disabling access”. 

Reporting by Lydia Lam, Kevin Kwang, Jalelah Abu Baker and Michael Yong. 

Source: CNA/db

Bookmark