The HIV-positive status of 14,200 people in Singapore – along with sensitive and confidential information such as identification numbers, contact details, addresses – have been leaked online, the Singapore Ministry of Health announced yesterday. Some details here:

  • Records of 5,400 Singaporeans and 8,800 foreigners diagnosed with HIV up to January 2013 were leaked.
  • The leaked data included names, identification numbers, phone numbers, address, HIV test results and medical information.
  • The names, identification number, phone number and addresses of another 2,400 contacts – identified via contact tracing – were also leaked.
  • MediaNama has withheld the information relating to the number of deaths because of HIV, and their gender, in order to protect their privacy.

The leak comes just a week after Singapore’s privacy watchdog slapped penalties totaling to $1 million on two companies – Integrated Health Information Systems (IHiS) and SingHealth – for a June 2018 breach which compromised the personal information of 1.5 million patients, including that of the Singapore Prime Minister Lee Hsien Loong and other ministers.

Who leaked this data

According to the government’s statement, an HIV positive US Citizen, Mikhy K Farrera Brochez, who lived in Singapore from 2008 was behind the leak. The health ministry said that the data is still in his possession, even though access to the database has been disabled.

33-year-old Brochez was convicted and jailed for fraud and drug-related offences in 2016, and deported from Singapore last year. Brochez’s fraud conviction was related to him lying about his HIV status to the Singapore government to gain an employment pass into the country. His former partner, Singaporean doctor Ler Teck Siang, who is the former head of Singapore’s National Public Health Unit, was convicted of abetting Brochez’s fraud by offering his own blood sample (for HIV status testing) labelled as Brochez’s.

Singapore officials were first made aware that Brochez was in possession of the data in May 2016, after which his property was searched and the data was presumably seized from him. However, on January 22, the government was informed that Brochez could still possess the HIV registry data.

Yesterday, health officials said that they have tried to contact all the affected people – Singaporeans and foreign residents – but was able to reach only 900 of them. The government has set up a hotline for them and counselling will be offered.

Penalties of $1 million for patient data breach

Singapore’s Personal Data Protection Commission dished out a penalty of $750,000 of IHiS, the technology vendor of Singapore’s health sector, for lapses in securing patient data, which resulted in cyberattacks in June 2018 leading to the country’s worst privacy breach. The authority also penalised SingHealth, even though it is not a vendor, with $250,000. The commission reasoned that SingHealth was also responsible since was the owner of the patient database.

It is worth noting that both bodies SingHealth and IHiS were wholly-owned subsidiaries of MOH Holdings, through which the Singapore government owns corporate institutions in the public health sector.

India’s draft Data Protection Bill

The draft Data Protection Bill, 2018, classifies health data, data related to sexual orientation and sex life, as sensitive personal data, among other data like financial data and passwords. The bill also establishes a Data Protection Authority of India, which is empowered to oversee the enforcement of the bill. The draft bill lays down financial penalties for non-compliance ranging from Rs 5 crores or 2% of total worldwide turnover to Rs 15 crores rupees or 4% of the total worldwide turnover.

The bill has not been tabled in Parliament yet, but is likely to progress after the 2019 Lok Sabha elections 2019.

Also read

Our privacy coverage here.