The Singapore government has dismissed suggestions it tried to cover up a security incident that led to the personal data of 14,200 individuals diagnosed with HIV to be leaked online. In rationalising the time lapse between the discovery of the breach and its public announcement, the country's health minister says it had a "responsibility to balance" what would be in the best interests of the affected individuals and general public.
The ministry last month said personal information of 5,400 Singaporeans and 8,800 foreigners who had been diagnosed with HIV were leaked online by an American living in Singapore who had illegally accessed the data through his partner, a Singaporean doctor. The data of another 2,400 people listed as part of a contact tracing process had also been exposed online.
While the American was investigated by the police and health ministry between 2014 and 2016 for possibly submitting fake blood tests, it was only in late-April 2016 that authorities uncovered evidence he had illegally accessed HIV-related data of 75 individuals. A police report was lodged the following month and he was sentenced to 28 months in prison for various offences, including drugs-related offences.
Following his release and deportation in May 2018, the American sent a screenshot containing 31 records from the HIV Registry to several Singapore government authorities, which determined the data was not new and part of the original dataset he had accessed.
It was only in January 2019 that further evidence revealed he might be holding onto more information from the HIV registry beyond the initial 75 datasets. In addition, he had put the information online and provided the link to a non-government party.
The ministry then decided to make a public announcement on 28 January despite its concerns about the impact on affected individuals, said Health Minister Gan Kim Yong, who spoke in parliament on Tuesday. He added that the American had contacted several individuals in 2018, giving them links to confidential information he had uploaded online. To address such attempts, the ministry had been working with the police and other relevant parties to disable access to the information as quickly as possible, Gan said.
"The Ministry of Health (MOH) had to decide whether to inform the affected persons and make a public announcement. In making those decisions, MOH had a responsibility to balance the opposing considerations and exercise judgement on what would best serve the interest of the affected persons and the public," the minister said.
"MOH made a judgement call, balancing the various considerations. It is arguable that MOH should have made a different call, but I reject any allegation that MOH sought to cover up the incident," he said.
According to Gan, the ministry had taken steps to better safeguard personal data and access. He pointed to a data analytics group that was set up in April 2018, which encompassed a data governance division tasked to establish policies, practices, and guidelines for the healthy ministry and its associated agencies.
"The aim is to protect and secure access to health sector data, in accordance with data protection requirements in the Government Instruction Manuals and Personal Data Protection Act, and other MOH sectoral legislation," he noted. "In light of the recent incident, and the increased prevalence of data use across the healthcare sector, it is important to ensure data security and governance policies are strictly adhered to on the ground."
Government to remain exempted from data protection act
Also during Tuesday's parliament sitting, Member of Parliament and chairperson of opposition party Workers' Party, Sylvia Lim, asked if the public sector should remain exempt from the country's Personal Data Protection Act (PDPA) in light of the recent data breaches.
In response, Minister for Communications and Information S Iswaran said differences in data access and processes between the private and government organisations underscored the need for "different approaches" in how personal data was protected in the two sectors. Governed by the Public Sector (Governance) Act (PSGA), which was introduced last year, government agencies need access to a common data resource for better policy making which will enable improve responsiveness, Iswaran said.
For instance, he said, front-line social services officers could more quickly assess applicants for financial assistance with access to data from other relevant agencies. Private businesses, in comparison, are expected to be individually accountable for personal data they possess and are not expected to have an integrated cross-organisation service delivery.
"Because of these important differences, we need and have adopted different approaches to the protection of personal data in the public and private sectors. That is also why the PDPA applies only to the private sector, while the PSGA and other legislation govern data protection in the public sector," the minister said. He added that both pieces of legislation were reviewed regularly to ensure they remained relevant and effective in protecting personal data in the two sectors.
Personal information belonging to 14,200 individuals diagnosed with HIV has been leaked online by an American living in Singapore and who had illegally accessed the data, reveals the country's health ministry.
SingHealth and Singapore's public healthcare sector IT agency IHIS have been slapped with S$250,000 and S$750,000 financial penalties, respectively, for the July 2018 cybersecurity attack that breached the country's personal data protection act. The fines are the highest dished out to date.
Two staff members have been fired for negligence and five senior management executives, including the CEO, were fined for their "collective leadership responsibility" in Singapore's most serious security breach, which compromised personal data of 1.5 million SingHealth patients.
The review committee also finds IT staff to be lacking in cybersecurity awareness and resources and SingHealth's network misconfigured with security vulnerabilities, which helped hackers succeed in breaching its systems.
Investigation into the July 2018 incident reveals tardiness in raising the alarm, use of weak administrative passwords, and an unpatched workstation that enabled hackers to breach the system as early as August last year.