Confidential information of 14,200 people with HIV, including their names, contact details and medical information, has been stolen and leaked online, and the culprit is an American fraudster, the Ministry of Health revealed on Monday (Jan 28).
Mikhy Farrera-Brochez, the man behind the leak, lived in Singapore from 2008 before being jailed in 2017 for several fraud and drug-related offences and lying to the Ministry of Manpower about his own HIV status.
His partner was Ler Teck Siang, a Singaporean doctor who was head of MOH’s National Public Health Unit (NPHU) from March 2012 to May 2013 and had access to the HIV Registry for his work. He has been charged under the Official Secrets Act for failing to take reasonable care of confidential information regarding HIV-positive patients.
The records that have been leaked include those of 5,400 Singaporeans diagnosed with HIV up to January 2013, and 8,800 foreigners diagnosed up to December 2011, MOH said at a press conference at the College of Medicine Building.
This included each person’s name, identification number, phone number and address, HIV test results and related medical information. The name, identification number, phone number and address of 2,400 people identified through contact tracing up to May 2007 was also included.
“We are sorry for the anxiety and distress caused by this incident,” said the ministry in a statement.
“Our priority is the well-being of the affected individuals,” it added, saying that it has been contacting affected individuals to inform and help them since Saturday (Jan 26), and that it has worked with relevant parties to disable access to the information.
However, the information is still in the hands of Farrera-Brochez, who was deported after he had served his jail term. He currently remains outside Singapore.
It came to light on Monday that Farrera-Brochez, who was HIV-positive, had not only used his boyfriend’s blood to pass blood tests so he could work in Singapore, but that he had also got hold of information illegally from the HIV registry which his doctor boyfriend had access to.
The latest breach, while not due to a cyber attack, comes after Singapore’s worst cyber attack in 2018. From June 27 to July 4 last year, hackers infiltrated the computers of SingHealth and stole the personal particulars of 1.5 million patients, including Prime Minister Lee Hsien Loong.
Farrera-Brochez, 33, who was a polytechnic lecturer here and held an employment pass, was sentenced to 28 months in jail in 2017 for offences including cheating and possession of drugs.
Farrera-Brochez’s boyfriend, Singaporean doctor Ler, 36, had submitted his own blood sample in place of the American’s to help him get an employment pass here. Ler, who is still a registered doctor, has been sentenced to two years in jail for abetment of cheating and for giving a false statement to a public servant, He is appealing.
The ministry said it was notified by the police last Tuesday (Jan 22) that confidential information of HIV patients had been leaked, and made a police report the following day (Jan 23).
Since 2016, it noted, additional safeguards against mishandling of information by authorised staff have been put in place, including a two-person approval process to download and decrypt information.
MOH stressed that it will continue to regularly review its systems to ensure they remain secure and that the necessary safeguards are in place.
Health Minister Gan Kim Yong told reporters on Monday: “We take a serious view of this matter. Our former staff has been charged in court and the case is pending, and we will not hesitate to take stern action against staff who violate security guidelines, abuse their authority or abuse their access to information.”
He added: “I also understand the concerns, the anxiety and distress faced by our affected patients and our priority is their well-being.
“Going forward, we will continue to strengthen and to review our systems to ensure they are secure, and our priority remains the patients’ well-being and we will extend whatever assistance and support that we can for them.”
The Health Ministry has set up a hotline for those who need additional information, and counsellors are also available to assist them and to provide additional support if necessary, he said.
It has appealed to the public to notify the ministry immediately if they come across information related to the incident, and not to share it. Those with information or concerns can call the MOH hotline on 6325-9220.
When contacted, they police said they are seeking the help of their foreign counterparts in their investigations.
“The Police would like to remind the public that it is an offence under the Official Secrets Act (OSA) for any person to be in possession of, communicate or use any of the confidential data that may have been disclosed. Police will not hesitate to take stern action, including prosecution, against those who have breached the OSA,” said a spokesman.
A person found guilty of the wrongful possession, communication or use of confidential data can be fined up to $2,000, and jailed up to two years.
Text: Chang Ai-Lien, Fabian Koh, Salma Khalik / The Straits Times / January 2019