HIV registry data leak not result of hack-in by advanced persistent threat actors
Following an alert by the Police, the Ministry of Health (MOH) has ascertained that confidential information regarding 14,200 individuals diagnosed with HIV up to January 2013, and 2,400 of their contacts, is in the possession of an unauthorised person. The information has been illegally disclosed online. MOH have worked with the relevant parties to disable access to the information.
2 We are sorry for the anxiety and distress caused by this incident. Our priority is the wellbeing of the affected individuals. Since 26 January, we have been progressively contacting the individuals to notify them and render assistance.
3 On 22 January, MOH was notified by the Police that confidential information from MOH’s HIV Registry may have been disclosed by an unauthorised person. MOH made a Police report on 23 January. On 24 January, MOH ascertained that the information matched the HIV Registry’s records up to January 2013.From 24 to 25 January, MOH worked with the relevant parties to disable access to the information.
4 The records were those of 5,400 Singaporeans diagnosed with HIV up to January 2013 and 8,800 foreigners diagnosed with HIV up to December 2011. The information included their name, identification number, contact details (phone number and address), HIV test results and related medical information. The name, identification number, phone number and address of 2,400 individuals identified through contact tracing up to May 2007 were also included.
5 While access to the confidential information has been disabled, it is still in the possession of the unauthorised person, and could still be publicly disclosed in the future. We are working with relevant parties to scan the Internet for signs of further disclosure of the information.
6 The confidential information is in the illegal possession of one Mikhy K Farrera Brochez, a male US citizen who was residing in Singapore, on an employment pass, between January 2008 and June 2016. Brochez was remanded in Prison in June 2016. He was convicted of numerous fraud and drug-related offences in March 2017, and sentenced to 28 months’ imprisonment. The fraud offences were in relation to Brochez lying about his HIV status to the Ministry of Manpower, in order to obtain and maintain his employment pass, furnishing false information to Police officers during a criminal investigation, and using forged degree certificates in job applications. Upon completing his sentence, Brochez was deported from Singapore. He currently remains outside Singapore.
7 Brochez was a partner of Ler Teck Siang, a male Singaporean doctor. As the Head of MOH’s National Public Health Unit (NPHU) from March 2012 to May 2013, Ler had authority to access information in the HIV Registry as required for his work. Ler resigned in January 2014. He was charged in Court in June 2016 for offences under the Penal Code and the Official Secrets Act (OSA). In September 2018, Ler was convicted of abetting Brochez to commit cheating, and also of providing false information to the Police and MOH. He was sentenced to 24 months’ imprisonment. Ler has appealed, and his appeal is scheduled to be heard in March 2019. In addition, Ler has been charged under the OSA for failing to take reasonable care of confidential information regarding HIV-positive patients. Ler’s charge under the OSA is pending before the Courts.
8 In May 2016, MOH had lodged a Police report after receiving information that Brochez was in possession of confidential information that appeared to be from the HIV Registry. Their properties were searched, and all relevant material found were seized and secured by the Police.
9 In May 2018, after Brochez had been deported from Singapore, MOH received information that Brochez still had part of the records he had in 2016. The information did not appear to have been disclosed in any public manner. MOH lodged a police report, and contacted the affected individuals to notify them.
10 On 22 January 2019, MOH was notified that more information from the HIV Registry could still be in the illegal possession of Brochez. On this occasion, he had disclosed the information online.
11 Brochez is currently under Police investigation for various offences, and the authorities are seeking assistance from their foreign counterparts.
12 This incident is believed to have arisen from the mishandling of information by Ler, who is suspected of not having complied with the policies and guidelines on the handling of confidential information. MOH takes a grave view of such matters, and will not hesitate to take stern action against staff and other individuals who abuse their authority and access to confidential information, or fail to handle such information in a proper manner.
Additional Safeguards in Disease Registries
13 Since 2016, additional safeguards against mishandling of information by authorised staff have been put in place. For example, a two-person approval process to download and decrypt Registry information was implemented in September 2016, to ensure that the information cannot be accessed by a single person. A workstation specifically configured and locked down to prevent unauthorised information removal was designated for processing of sensitive information from the HIV Registry. The use of unauthorised portable storage devices on official computers was disabled in MOH in 2017, as part of a government-wide policy.
14 MOH will continue to regularly review our systems to ensure that they remain secure and that the necessary safeguards are in place.
15 We appeal to members of the public to notify MOH immediately should they come across information related to this incident, and not further share it. Members of the public who have such information or other concerns can contact our hotline at 6325 9220.
 The HIV Registry contains information concerning individuals diagnosed with HIV, a notifiable disease under the Infectious Diseases Act (IDA). MOH relies on information from the Registry to monitor the HIV infection situation, conduct contact tracing in relation to HIV patients and assess disease prevention and management measures.
 This includes work and visit pass applicants/ holders.