Personal information from 14,200 people diagnosed with HIV was leaked online by an American living in Singapore who, through his partner, had illegally accessed the data.
According to local authorities, the data of another 2,400 people listed as part of a contact tracing process has also been exposed online. In a statement issued Monday by the Singapore Ministry of Health, Mikhy K Farrera Brochez, a US citizen residing in Singapore, said that confidential data from his HIV registry had been illegally accessed and leaked on a pass.
The persons concerned included 5,400 Singaporeans and 8,800 foreigners diagnosed with HIV between January 2013 and December 2011. The ministry said that their name, identification number, contact details including telephone and address, HIV test results and related medical information had been leaked.
The names, identification numbers, telephone numbers and addresses of 2,400 identified as part of the contact tracing process up to May 2007 were also identified. The Health Ministry said that it was alerted by local police that the data was in Brochez ‘s possession, who had previously been convicted of various fraud and drug-related crimes, in particular for lying about his HIV status in order to maintain his job pass and use forged degree certificates in applications for employment.
Since then, he has been deported from Singapore and stays outside his shores. Brochez had illegally accessed the data through his partner, Ler Teck Siang, who was a Singaporean doctor and had authorized access to data in the local HIV registry as head of the National Public Health Unit of the Health Minister.
The database contains information on HIV-positive individuals and is used to monitor the HIV infection status of the country, to facilitate contact tracing and to evaluate prevention measures for diseases.
Ler resigned in January 2014 and was convicted of inciting Brochez to commit fraud and to provide the police and the Ministry of Health with false information. He was also charged under the Official Secrets Act of Singapore for failing to take reasonable care with confidential data on HIV-positive patients.
In May 2016, the Ministry submitted a police report stating that Brochez had confidential information, which appeared to be from the HIV Registry, which prompted a property search during which relevant information was found and taken.
The American was deported in May 2018, after which the Ministry of Health was informed that certain records from 2016 were still kept, however, the data did not appear to have been exposed. Only on 22 January this year the Ministry was alerted that further information from the HIV registry remained in Brochez ‘s hands, who had leaked the information online this time.
The Ministry of Health said that it had started to contact affected persons about the incident and worked to “disable access to information.” “We are working with relevant parties to scan the Internet for signs of further information disclosure, “he said, adding that Brochez is currently under police investigation and that local authorities are seeking help from their counterparts abroad.
It noted that additional safeguards have been implemented since 2016 against the misuse of information by authorized staff, including a two-person approval process for the download and decryption of information from the register.
In addition, a workstation was specifically set up and “locked “to prevent unauthorized data from being deleted from the HIV registry. As part of a government-wide policy, the use of unauthorized portable storage devices on official computers was also disabled.
Commenting on the data leak, the Action for AIDS in Singapore said that it was “deeply troubled “because the breach could “damage “the lives of people living with HIV.” We stand with all those whose personal information has been accessed and infringed. This is a criminal act to be condemned and replied to as severely as possible, “Monday said in a statement.
In July 2018, personal data of 1,5 million SingHealth patients have been compromised in the most serious data breach in Singapore to date and found to be the result of misconfigured IT systems and IT staff who lacked knowledge and resources about cybersecurity.