Personal information belonging to 14,200 individuals diagnosed with HIV has been leaked online by an American living in Singapore and who had illegally accessed the data through his partner. The data of another 2,400 people listed as part of a contact tracing process also has been exposed online, according to local authorities.
Singapore's Ministry of Health said in a statement Monday that confidential data from its HIV registry had been illegally accessed and leaked by Mikhy K Farrera Brochez, a US citizen residing in Singapore on an employment pass. The affected individuals included 5,400 Singaporeans and 8,800 foreigners who had been diagnosed with HIV up to January 2013 and December 2011, respectively.
Their name, identification number, contact details including phone and address, as well as HIV test results and related medical information had been leaked, the ministry said. The name, identification number, phone number, and address of 2,400 identified--up to May 2007--as part of a contact tracing process also had been exposed.
The Health Ministry said it was alerted by local police that the data had been in the possession of Brochez, who previously was convicted of various fraud and drug-relate offences, specifically, for lying about his HIV status in order to maintain his employment pass and using forged degree certificates in job applications. He has since been deported from Singapore and remains outside its shorelines.
Brochez had illegally accessed the data through his partner Ler Teck Siang, who was a Singaporean doctor and, as head of the Health Ministry's National Public Health Unit, had authorised access to data in the local HIV registry. The database contains information related to HIV-positive individuals and is used to monitor the country's HIV infection status, facilitate contact tracing, and assess disease prevention measures.
Ler resigned in January 2014 and was convicted of abetting Brochez to commit fraud and providing false information to the police and Health Ministry. He also was charged under Singapore's Official Secrets Act for failing to adopt reasonable care with confidential data regarding HIV-positive patients.
The ministry in May 2016 had filed a police report stating that Brochez had confidential information that appeared to be from the HIV Registry, prompting a property search during which relevant information was found and seized. The American was deported in May 2018, after which the Health Ministry was notified that he still held on to some records from 2016, though, the data then did not appear to have been exposed.
It was only on January 22 this year that the ministry was alerted to the possibility more information from the HIV registry remained in the hands of Brochez who, this time, had leaked the information online.
The Health Ministry said it had begun contacting affected individuals about the incident and was working to "disable access to the information". "We are working with relevant parties to scan the Internet for signs of further disclosure of the information," it said, adding that Brochez currently was under police investigation and local authorities were seeking assistance from their foreign counterparts.
It noted that, since 2016, additional safeguards against the mishandling of information by authorised staff had been implemented, including a two-person approval process to download and decrypt information from the registry. In addition, a workstation had been specifically configured and "locked down" to prevent the removal of unauthorised data from the HIV registry. The use of unauthorised portable storage devices on official computers also was disabled as part of a government-wide policy.
Commenting on the data leak, Singapore's Action for AIDS said it was "deeply troubled" as the breach could "damage" the lives of individuals living with HIV. "We stand with all whose private information may have been accessed and violated. This is a criminal act that should be condemned and answered in the most severe terms possible," it said in a statement Monday.
In July 2018, personal data of 1.5 million SingHealth patients was compromised in Singapore's most severe data breach, to date, and found to be the result of misconfigured IT systems and IT staff who lacked cybersecurity awareness and resources.
SingHealth and Singapore's public healthcare sector IT agency IHIS have been slapped with S$250,000 and S$750,000 financial penalties, respectively, for the July 2018 cybersecurity attack that breached the country's personal data protection act. The fines are the highest dished out to date.
Two staff members have been fired for negligence and five senior management executives, including the CEO, were fined for their "collective leadership responsibility" in Singapore's most serious security breach, which compromised personal data of 1.5 million SingHealth patients.
The review committee also finds IT staff to be lacking in cybersecurity awareness and resources and SingHealth's network misconfigured with security vulnerabilities, which helped hackers succeed in breaching its systems.
Investigation into the July 2018 incident reveals tardiness in raising the alarm, use of weak administrative passwords, and an unpatched workstation that enabled hackers to breach the system as early as August last year.
Health Ministry is piloting the use of quarantined servers as part of efforts to "reduce the number of potential attack points", following last month's security breach that compromised the personal data of 1.5 million patients.