In the beginning of 2019, Singapore was shaken up by a massive scandal. The HIV positive statuses of over 14,000 people got leaked online alongside their ID numbers and contact details. As the scandal unfolded, numerous lessons have been learned when it comes to protecting sensitive data and ensuring the safety of society’s most vulnerable members.

A Privacy Breach

The total number of HIV status profiles leaked as per official authority reports reached 14,200. Of these, 5,400 profiles belonged to HIV-positive Singaporeans diagnosed prior to 2013. An additional range of 8,800 accounts belonging to diagnosed foreigners was also exposed.

In a statement by the Ministry of Health, it was made clear that the confidential information came in the possession of an unauthorised person. Once this happen, the data, including personal details, was all divulged online.

Since the end of January, the Ministry of Health started contacting affected individuals to notify them of the data leak and to offer assistance. Assistance options were also set up to mitigate the effects of the leak.

The Ministry of Health does maintain an HIV registry that is kept private and only used for public health purposes. Some of the issues addressed through the registry creation and the information contained in it include disease surveillance and monitoring, contact tracing, assessing disease treatment and prevention measures, etc.

Through tracking changes in the registry, the Singaporean government can determine what amount of financial resources is adequate for disease control and prevention.

The Fraudster Behind the Leak

Singapore’s Ministry of Health announcement identified Mikhy K Farrera Brochez as the person responsible for the leak.

Brochez, a US citizen, entered Singapore in 2008 on an employment pass. In June 2016, he was arrested on fraud and drug-related charges. In March 2017, Brochez received a 28-month sentence. One of the fraudulent offenses included Brochez lying about his HIV status to the Ministry of Manpower in order to get a Singaporean employment pass.

The investigation also found out that Brochez had partnered up with a Singaporean doctor called Ler Teck Siang. Ler had access to the Ministry of Health HIV registry because such information was a prerequisite for doing his job.

Ler resigned from his position in 2014 and he was charged with offences under the Penal Code and the Official Secrets Act in 2016. Ler was found guilty of assisting Brochez and of providing false information to the Ministry of Health. He was sentenced to 24 months in prison.

Brochez is believed to have leaked the sensitive information after leaving Singapore in 2019.

The HIV registry data leak is considered to be the result of information mismanagement by Ler. Ler probably didn’t comply with official guidelines aimed at the safe handling of confidential information.

These offenses are prosecuted very seriously, as medics in Singapore (just like in all other parts of the world) are tasked with preserving and protecting the confidentiality of their patients.

Anger and Frustration Among Affected Individuals

Needless to say, people affected by the data breach have been frustrated and angered by the dissemination of their sensitive information.

While the Ministry of Health reported that the access to the sensitive information has been disabled, numerous people worry about their employment and even their ability to get health insurance in the aftermath of the leak.

The fact that addresses have also been leaked contributes to additional worries and fear about the safety of family members.

Ministry of Health did set up a hotline in the aftermath of the HIV registry leak for the purpose of assisting affected individuals and answering their questions. Counselling is also made readily available to enable these individuals move forward without the fear of social or employment repercussions.

People who were diagnosed with HIV at a later period of time have also told media they worry about such information being made public. Some haven’t told their families about the HIV positive status and would like to maintain affairs in their current state.

Even people who have been out and open about their HIV positive status say that such forced outings are cruel and unjust. They could have a profoundly negative effect on some of the most vulnerable members of society.

Advocacy groups and advocates have stepped forward to offer assistance. Some even claim that affected individuals could sue the government for negligence in terms of handling sensitive data.

It’s still not certain how the case will unfold. Many questions are yet to be answered, regardless of the fact that the leak took place early in 2019.

One thing is certain – measures will probably be undertaken to ensure the security of the HIV registry and to prevent further breaches in the future. Now that vulnerabilities have been identified and highlighted, chances are that the government will work hard to prevent similar accidents from taking place in the future.