For the second time inside a year, private health information belonging to people in Singapore has been compromised. Following a hack disclosed last summer that affected the patient records of up to 1.5 million citizens, Singapore’s Ministry of Health (MOH) on announced on Monday that personal details and the HIV-positive status of 14,200 people were posted online in another medical data breach. Officials say the details of 5,400 Singaporeans and 8,800 foreigners dating up to January 2013 were compromised.
Breach caused by individual residing in Singapore from 2008 to 2016
The MOH revealed that the confidential information is in the illegal possession of one Mikhy Farrera Brochez, a male US citizen who was residing in Singapore, on an employment pass, between January 2008 and June 2016. Brochez was remanded in Prison in June 2016. He was convicted of numerous fraud and drug-related offences in March 2017, and sentenced to 28 months’ imprisonment. The fraud offences were in relation to Brochez lying about his HIV status to the Ministry of Manpower, in order to obtain and maintain his employment pass, furnishing false information to Police officers during a criminal investigation, and using forged degree certificates in job applications. Upon completing his sentence, Brochez was deported from Singapore. He currently remains outside Singapore.
The hack comes just months after the records of 1.5m Singaporeans, including Prime Minister Lee Hsien Loong, were stolen last year. Confidential information including names, addresses, HIV status and other medical information is reportedly included in the latest breach..
He is the former partner of Ler Teck Siang, the former head of Singapore’s National Public Health Unit, who was convicted of helping Farrera-Brochez falsify his medical records to disguise his HIV-positive status.
Breach was due to non-compliance of confidential data protection policies
Officials said Ler offered his own blood labelled as Farrera-Brochez’s to allow him entry to the country. In a statement, the health ministry blamed Ler for the breach, accusing him of not complying with the policies regarding the handling of confidential data.
“I’m sorry that one of our former staff who was authorised to have access to confidential information in our HIV registry appears to not have complied with our security guidelines,” Health Minister Gan Kim Yong said at a Monday news conference
They said they were first made aware in 2016 that the American may have had confidential information – but thought all material had been seized and secured by police.
Additional safeguards put in place against mishandling of information by authorised staff
The MOH also added that since 2016, additional safeguards against mishandling of information by authorised staff have been put in place. For example, a two-person approval process to download and decrypt Registry information was implemented in September 2016, to ensure that the information cannot be accessed by a single person. A workstation specifically configured and locked down to prevent unauthorised information removal was designated for processing of sensitive information from the HIV Registry. The use of unauthorised portable storage devices on official computers was disabled in MOH in 2017, as part of a government-wide policy.
MOH said they will continue to regularly review our systems to ensure that they remain secure and that the necessary safeguards are in place. The Ministry of Health also appealed to members of the public to notify them immediately should they come across information related to this incident, and not further share it.