Personal records of HIV-positive individuals in Singapore leaked online

The personal information of 14,200 people in Singapore with HIV (human immunodeficiency virus) was reportedly leaked online in yet another data breach that has come to light in the city-state.

According to Singapore’s Ministry of Health (MOH), the information included the names, identification numbers, contact details, HIV test results and related medical information of 5,400 Singaporeans and 8,800 foreigners diagnosed with HIV in Singapore.

The information was leaked by Mikhy K Farrera Brochez, a HIV-positive male American who was residing in Singapore, on an employment pass, between January 2008 and June 2016.

He allegedly gained access to the information through his Singaporean partner Ler Teck Siang, the head of MOH’s National Public Health Unit who was authorised to access information in the national HIV registry as required for his work.

Brochez had lied about his HIV status to the Ministry of Manpower to obtain and maintain his employment pass, among other offences. He was remanded in prison in June 2016, and later sentenced to 28 months’ imprisonment in March 2017 for numerous fraud and drug-related offences.

Upon completing his sentence, Brochez was deported from Singapore. He currently remains outside Singapore.

Ler was charged in June 2016 for offences under the Penal Code and the Official Secrets Act (OSA). In September 2018, Ler was convicted of abetting Brochez to commit cheating, and also of providing false information to the police and MOH.

He was sentenced to 24 months’ imprisonment. Ler has appealed, and his appeal is scheduled to be heard in March 2019. In addition, Ler has been charged under the OSA for failing to take reasonable care of confidential information regarding HIV-positive patients. Ler’s charge under the OSA is pending before the courts.

MOH said that since 2016, additional safeguards against mishandling of information by authorised staff have been put in place.

For example, a two-person approval process to download and decrypt HIV registry information was implemented in September 2016 to ensure that the information cannot be accessed by a single person.

A workstation specifically configured and locked down to prevent unauthorised information removal was also designated for processing of sensitive information from the HIV registry.

Carl Leonard, principal security analyst at Forcepoint, told Computer Weekly in May 2018 that “organisations are still neglecting the danger posed by the humans working inside those organisations, despite the fact this has been recognised as one of the root causes of data breaches for many years”.

The latest data breach in Singapore’s healthcare sector comes after the unprecedented attack on the IT systems of the SingHealth public healthcare group in 2018 that compromised the non-medical personal details of about 1.5 million patients.