Personal Data of 14,200 HIV Patients Leaked Online By American Partner of S’porean Doctor

In July 2018, Singapore was hit by its worst cyber attack ever.

Hackers stole 1.5 million patients personal particular, including that of Prime Minister Lee Hsien Loong and a few other ministers.

According to this Straits Times report:

“The hackers infiltrated the computers of SingHealth, Singapore’s largest group of healthcare institutions with four hospitals, five national speciality centres and eight polyclinics. Two other polyclinics used to be under SingHealth.”

This was PM Lee’s post on the cyber attack in July 2018:

On 10 January 2019, the Committee of Inquiry (COI) report on the cyber attack was released to the tune of a 453-page long report offering 16 recommendations.

Some of the findings included, but not limited to, were:

“Staff who fell prey to phishing attacks. Weak administrator passwords. Not applying a patch that could have stopped the hacking. And an IT cyber-security team that could not even recognise a security incident.”

Subsequently, on Jan 14 2019, the Integrated Health Information Systems (IHiS), the central IT agency responsible for Singapore’s healthcare sector shared that it had sacked 2 employees and slapped a financial penalty on five of its senior management team members, including CEO Bruce Liang, as a result of the finding and investigation.

Now, that was over a cyber attack.

Personal Data of 14,200 HIV Patients in S’pore Leaked Online

Fast forward to yesterday, my phone abuzzed with ST push notifications, I found out that the confidential data of “14,200 people with HIV, including their names, contact details and medical information, [had] been stolen and leaked online” by an American fraudster, Mikhy Farrera-Brochez, according to this Straits Times report.

In addition, the list includes “5,400 Singaporeans diagnosed with HIV up to January 2013, and 8,800 foreigners diagnosed up to December 2011” as well as “2,400 people identified through contact tracing up to May 2007.”

There’s more to it, however.

One might have thought this was possibly due to a state-sponsored cyber attack or another series of negligent practices culminating in a large-scale leak.

That’s however, quite far from the truth.

It appears, as more reports emerge that, Mikhy Farrera-Brochez, had illegally obtained the list from his partner Ler Teck Sian, who was head of MOH’s National Public Health Unit (NPHU) from March 2012 to May 2013 and had access to the HIV Registry for his work.

This is the lowdown of what transpired.

The Chronological Breakdown

Early 2008: Mikhy Farrera-Brochez moved to Singapore a year after getting romantically involved with local general practitioner Ler Teck Siang, 35, whom he had met online.

March 2008: In order to apply for an Employment Pass (EP), Farrera-Brochez, who was in fact HIV-positive, had used Dr Ler’s blood for the test.

Post-March 2008: Farrera-Brochez attained an EP and began work as a polytechnic lecturer.

Between February 2012 – May 2013: Ler, an infectious diseases specialist, worked as a medical officer at the Communicable Diseases Division (CDC) where he had access to the HIV Registry

Sometime in 2013: Using Dr Ler’s blood, Farrera-Brochez similarly fooled the authorities while applying for a Personalised Employment Pass (PEP) when his EP was up for renewal.

January 2014: Ler resigned.

May 2016: Farrera-Brochez was found guilty of possession of ketamine and cannabis mixture.

“Investigations further revealed that his various educational certificates, including one from the University of Paris, were forged.”

June 2016: Ler was charged for offences under the Penal Code and Official Secrets Act (OSA) and Farrera-Brochez was remanded in prison.

March 2017: Farrera-Brochez was sentenced to 28 months in jail for offences including cheating and possession of drugs.

April 2018: Farrera-Brochez was released from prison and deported.

May 2018: After Farrera-Brochez’s deportation, MOH received information that Brochez still had part of the records he had in 2016. At the time, according to ST “the records did not appear to have been disclosed publicly. MOH made a police report and contacted the affected individuals to notify them.”

September 2018: Ler was convicted of abetting Farrera-Brochez to commit cheating, and for providing false information to the police and MOH. He was sentenced to 24 months’ jail.

Jan 22, 2019: The police notified MOH that confidential information from MOH’s HIV Registry could be in Farrera-Brochez’s possession, and had been leaked online.

Jan 23, 2019: MOH made a police report.

Jan 24, 2019: MOH ascertained that disclosed information matched the HIV Registry’s records up to Jan 2013.

Jan 24-25, 2019: MOH worked with relevant parties to disable access to the information.

March 2019: Ler’s appeal against his 24-month sentence to be heard.

Questions Abound

It is not quite certain how Ler’s abetment in providing false blood samples for Farrera-Brochez’s EP application led to the former acquiring the HIV Registry’s records.

One can postulate that in Ler’s capacity at the CDC, he had used his access privileges to check if Farrera-Brochez was within the HIV Registry’s records.

Most devastatingly though, is how patients affected by the leak will cope, in the wake of such confidential information being made available publicly.

Mr G. Chew who is fairly open about his HIV-positive status to his company and well-meaning friends shared with ST:

“My company is of course aware that I have HIV, and I am fairly open about it to well-meaning friends who ask me about my illness out of genuine concern,” said Mr Chew, an administrative officer who has been contacted by the Ministry of Health (MOH) that he was affected by the data leak.

“However, I definitely fear that all this personal information might be publicly available to people at my workplace and beyond to scrutinise. Also, it’s the Internet – once it’s up there and shared over and over, it’s inerasable.

There is still a great stigma against people who have HIV. Information that I have HIV is definitely not something I want online. It’s not like it’s an award.”

While Jay (not his real name) who has kept mum about his condition said:

“Having HIV is to me an embarrassing thing and definitely an extremely private matter,” Jay told the ST, adding that only one close friend had known about his illness.

“I have not told my mother about it, and I don’t intend to. I have accepted that AIDS is what I have to live with forever, but I am afraid that if this information is made public, that my family and close friends will be ostracised and laughed at.”

So readers, if you happen to come across any such data, please refrain from sharing them and do report it to the relevant authorities.