Earlier this week, the Ministry of Health (MOH) in Singapore made an announcement that confidential information regarding 14,200 individuals diagnosed with HIV up to January 2013, and 2,400 of their contacts, has been illegally disclosed online and is in the possession of an unauthorised person. This was yet another serious case of data breach in the healthcare system following the SingHealth cyberattack which happened in June to July last year with 1.5 million patient records being illegally accessed. A Committee of Inquiry (COI) was quickly formed and its findings were published earlier this month.
For the case of the HIV data leak, MOH was alerted by the police on 22 January and the Ministry made a police report on 23 January. On 24 January, MOH ascertained that the information matched the HIV Registry’s records up to January 2013.From 24 to 25 January, MOH worked with the relevant parties to disable access to the information.
The records were those of 5,400 Singaporeans diagnosed with HIV up to January 2013 and 8,800 foreigners (including work and visit pass applicants/ holders) diagnosed with HIV up to December 2011. The information included their name, identification number, contact details (phone number and address), HIV test results and related medical information. The name, identification number, phone number and address of 2,400 individuals identified through contact tracing up to May 2007 were also included.
Background
The confidential information is in the illegal possession of Mikhy K Farrera Brochez, a male US citizen who was residing in Singapore, on an employment pass, between January 2008 and June 2016. Brochez was remanded in prison in June 2016. He was convicted of numerous fraud and drug-related offences in March 2017, and sentenced to 28 months’ imprisonment. The fraud offences were in relation to Brochez lying about his HIV status to the Ministry of Manpower, in order to obtain and maintain his employment pass, furnishing false information to Police officers during a criminal investigation, and using forged degree certificates in job applications. Upon completing his sentence, Brochez was deported from Singapore. He currently remains outside Singapore.
Brochez was a partner of Ler Teck Siang, a male Singaporean doctor. As the Head of MOH’s National Public Health Unit (NPHU) from March 2012 to May 2013, Ler had authority to access information in the HIV Registry as required for his work. Ler resigned in January 2014. He was charged in Court in June 2016 for offences under the Penal Code and the Official Secrets Act (OSA). In September 2018, Ler was convicted of abetting Brochez to commit cheating, and also of providing false information to the Police and MOH. He was sentenced to 24 months’ imprisonment. Ler has appealed, and his appeal is scheduled to be heard in March 2019. In addition, Ler has been charged under the OSA for failing to take reasonable care of confidential information regarding HIV-positive patients. Ler’s charge under the OSA is pending before the Courts.
According to an article by The Straits Times, it is understood that Ler no longer has a certificate to practise medicine in Singapore and no longer has access to the confidential information of patients in the National Electronic Health Records (NEHR), which includes all public-sector patients.
Timeline of events leading up to the leak
May 2016 – MOH had lodged a police report after receiving information that Brochez was in possession of confidential information that appeared to be from the HIV Registry. Their properties were searched, and all relevant material found were seized and secured by the Police.
May 2018 – After Brochez had been deported from Singapore, MOH received information that Brochez still had part of the records he had in 2016. The information did not appear to have been disclosed in any public manner. MOH lodged a police report, and contacted the affected individuals to notify them.
22 January 2019 – MOH was notified that more information from the HIV Registry could still be in the illegal possession of Brochez. On this occasion, he had disclosed the information online.
What could have happened
This incident is believed to have arisen from the mishandling of information by Ler, who is suspected of not having complied with the policies and guidelines on the handling of confidential information.
Additional safeguards in disease registries
Since 2016, additional safeguards against mishandling of information by authorised staff have been put in place. For example, a two-person approval process to download and decrypt Registry information was implemented in September 2016, to ensure that the information cannot be accessed by a single person.
A workstation specifically configured and locked down to prevent unauthorised information removal was designated for processing of sensitive information from the HIV Registry. The use of unauthorised portable storage devices on official computers was disabled in MOH in 2017, as part of a government-wide policy.