HIV-positive status of 14,200 people LEAKED online - An Analysis

The Singapore Ministry of Health, in a media briefing said the HIV positive status of 14,200 people were leaked online.The records were those of 5,400 Singaporeans diagnosed with HIV from 1985 to January 2013 and 8,800 foreigners, including work and visit pass applicants and holders, diagnosed with HIV from 1985 to December 2011.  The leaked information included their names, identification numbers, phone numbers, addresses, HIV test results and medical information. Alleged Person or Persons Behind the Leak

According to the Ministry of Health, the person behind the leak is  an “unauthorised person” in possession – Mikhy K Farrera Brochez (Mr A). Mr A was deported from Singapore in April 2018, after he was convicted of fraud and drug-related offences and sentenced to 28 months’ jail. He was remanded in prison in June 2016. Mr A was a partner of Ler Teck Siang (Mr B), a male Singaporean doctor who was also head of MOH’s National Public Health Unit from March 2012 to May 2013. Prior to resigning in January 2014, Mr B had access to the HIV Registry as required for his work. The ministry said it lodged a police report against Mr A in May 2016, when it received information that he had confidential information that appeared to be from the HIV Registry.

Mystery of How the Information was Leaked online

The briefing by the authorities said Mr A, the person behind the online leak is the partner of Mr B, the person who stole the information. The authorities had in 2016 lodged a report with the police against Mr A based on information they had that Mr A is in possession of the leak data.

New Safeguards for Disease Registries

The government said since 2016, new safeguards against the mishandling of information by authorised staff have been put in place

A two-person approval process to download and decrypt registry information was implemented to ensure that the data cannot be accessed by a single person. A workstation specifically configured and locked down to prevent unauthorised information removal was designated for the processing of sensitive information from the HIV Registry.

The use of unauthorised portable storage devices on official computers was also disabled by MOH in 2017, as part of a government-wide policy.

Warning by the Singapore Police

The Singapore Police Force (SPF) warned people against sharing any of the leaked information online as it is an offence under the Singapore Official Secrets Act (OSA) for any person to be in possession of, communicate or use any of the confidential data that may have been disclosed. 

Misperception

The leak was NOT the result of a breach. It was purely a case of a theft being carried out physically where an authorised person who has access to the information, stole it. We urged those who are covering this story and those who are sharing it to be mindful and report the case as such i.e the details were made available pursuant to a physical theft and not as a result of weaknesses in the IT system.  The heading above flashed across various media created an immediate perception to the public that hackers are at work again - hacking into the database of the Singapore health system. And this is not surprising as it comes hot on the heels of last year's hacking into SingHealth's database. In fact the heading is a disservice to the hackers - who at times prides on their work - while the above is a theft, carried out in physical form, with the `fruits' of the theft shared online, an act which does not require much skill sets in undertaking it.

Unanswered Questions

The briefing to the media created more unanswered questions than answering the concerns of those who were affected by the availability of their data in the public sphere.The Singapore authorities said Mr A was convicted of fraud and drug-related offences i,e Mr A does things for its financial rewards. In this case, why would Mr A or Mr B or both, want to `release' the data online without being compensated financially?Or the remote possibility that Mr A and or Mr B is doing it out of spike and vengeance for how their employer treated Mr B?Or they have already sold it to a 3rd party or parties and these parties are releasing it with the following intention i,e to confirm publicly that they have the `real' data and the people whose name are in the list, having received `official acknowledgement that the claim is real' pays them to help them altered their personal records?If for the remotest reason that Mr A did released it online unconditionally without any financial compensation, then the authorities should be more worried. Hackers, without lifting a finger, now have access to a treasure trove of personal details for free which they can lift it `offline' and work on it individually or collectively, days or months or years later to devastating effect, a scenario which is more frightening than the current revelation.Singapore has announced new measures pursuant to the physical theft. But it did not address the concerns of those individuals whose identities are now in the public sphere how they are protected from future threats arising from this debacle.

What is the response and action to be taken by Singapore's privacy watchdog?

Singapore's privacy watchdog acted with efficiency in investigating and imposing a fine on SingHealth and their cybersecurity service provider. In this case, where it was not an infiltration into the IT system but a physical theft that resulted - end result is similar in both instances - confidential data being made available in cyberspace without the consent of the individuals concerned, would the Singapore privacy watchdog investigate with the same zeal as it did in SingHealth's case?The breach in SingHealth happened in mid 2018 and the investigation results was made known in December 2018. In this case, the authorities knew of the data being leaked online without consent since 2016 when they lodged a police report against Mr A.

Note : The above analysis were made solely based on publicly available media reports. No verification were made as to confirm the validity and veracity of these publicly available media reports. If there is any incorrect statement, the responsibility lies solely on the publicly available media reports.