For the second time inside a year, private health information belonging to people in Singapore has been compromised.
Following a hack disclosed last summer that affected the patient records of up to 1.5 million citizens, Singapore’s Ministry of Health revealed today that personal details and the HIV-positive status of 14,200 people were posted online by a convicted fraudster.
Unlike last year’s data breach — which was caused by what appears to be a targeted cyberattack — the details this time around were exposed by unauthorized access to the ministry’s HIV Registry, which occurred in person.
Mikhy K. Farrera-Brochez, a U.S. citizen who spent more than eight years in Singapore before being deported last year over fraud and drug-related offences, is said to have posted the information on the internet after he gained access to it via his partner Ler Teck Siang, a doctor who once led the Ministry of Health’s National Public Health Unit.
It isn’t clear where the details were posted, but the ministry said access to the leak has been “disabled.” However, since Farrera-Brochez is believed to have retained details in person, it is entirely possible that they may appear again. In a bid to mitigate that threat, the Singapore government is “working with relevant parties to scan the Internet for signs of further disclosure of the information” and is “seeking assistance from… foreign counterparts.”
“We are sorry for the anxiety and distress caused by this incident. Our priority is the wellbeing of the affected individuals. Since 26 January, we have been progressively contacting the individuals to notify them and render assistance,” the ministry wrote in an announcement.
It urged anyone who comes into contact with the information to turn it in and “not further share it.”
The registry lists the name, ID number, phone number, email address, HIV test results and related medical information for 5,400 Singapore nations who were diagnosed with HIV up to January 2013. It includes the same details for 8,800 foreigners as of December 2011, and the details of 2,400 related contacts up to May 2007.
The government introduced system safeguards in September 2016 to limit the potential for rogue access to the data. That included a two-person approval process for data downloads, a dedicated workstation to prevent unauthorized access and the disabling on portable storage devices that could be used to transport information.
Police were first alerted that Farrera-Brochez was in possession of the data in May 2016. It wasn’t until two years later that they were told that he had retained the information. Despite an investigation, they learned Farrera-Brochez had disclosed the details online just over one week ago.
Farrera-Brochez is currently located outside of Singapore. He worked in the country between 2008 and 2016, but was charged for faking his HIV test result using Ler’s blood and using fake qualifications to earn a work permit. After completing a two-year sentence, he was deported in May 2018
Ler is waiting on an appeal after he was handed a two-year jail term for abetting Farrera-Brochez, providing false information to authorities and failing to take care of confidential information.