‘I am sorry’: Gan Kim Yong says health ministry providing support to HIV sufferers affected by data leak
SINGAPORE: Health Minister Gan Kim Yong apologised on Monday (Jan 28) after confidential information belonging to 14,200 HIV-positive people was leaked online.
The sensitive information included names, identification numbers, phone numbers, addresses and HIV test results, the Ministry of Health (MOH) said in a press release.
Those records are in the possession of Mikhy K Farrera Brochez, an American who was deported from Singapore last April after he was convicted of fraud and drug-related offences and sentenced to 28 months’ jail.
His boyfriend, Singaporean doctor Ler Teck Siang, had access to the HIV registry.
“I am sorry that one of our former staff who was authorised to have access to confidential information in our HIV registry appears to not have complied with our security guidelines,” said Mr Gan.
“We have been working with police and other entities to disable the access to this data online since Jan 25 and we are continuing to monitor the situation. We take a serious view of this matter.”
Mr Gan added that the case against Ler is before the courts.
“We will not hesitate to take stern action against staff who violate security guidelines, abuse their authority or abuse access to information,” he told reporters.
The records leaked were those of 5,400 Singaporeans diagnosed with HIV up to January 2013 and 8,800 foreigners, including work and visit pass applicants and holders, diagnosed with HIV up to December 2011.
The details of another 2,400 of their contacts – identified through contact tracing – up to May 2007 were also leaked.
MOH said it lodged a police report against Brochez in May 2016, when it received information that he had confidential information that appeared to be from the HIV registry. Brochez and Ler’s properties were searched, and relevant material seized and secured by the police.
Two years later in May 2018, after Brochez had been deported from Singapore, the ministry received information that Brochez still had part of the records. The information did not appear to have been disclosed publicly. MOH lodged another police report, and contacted the affected individuals.
On Jan 22 this year, MOH was notified by the police that Brochez may still have more information from the HIV Registry, and had leaked it online. The ministry said it then worked with “relevant parties” to disable access to the information.
The ministry has been progressively contacting those affected since Saturday, said Mr Gan, adding that a hotline has been set up for them to seek assistance.
“Our counsellors are also available to assist them and to provide additional support if necessary,” said the health minister. “Our priority remains on the patients' well-being. We will extend whatever assistance and support that we can for them.”
Mr Gan said his ministry will continue to strengthen and review its system to ensure that it is secured.
MOH said earlier on Monday that since 2016, new safeguards against the mishandling of information by authorised staff have been put in place.
A two-person approval process to download and decrypt registry information was implemented to ensure that the data cannot be accessed by a single person. A workstation specifically configured and locked down to prevent unauthorised information removal was designated for the processing of sensitive information from the HIV Registry.
The use of unauthorised portable storage devices on official computers was also disabled by MOH in 2017, as part of a government-wide policy.