HIV data leak: Security safeguards for HIV Registry in 2012-2013 in line with prevailing government policies

As the National Public Health Unit head then, Singaporean doctor Ler Teck Siang had the authority to access information in the HIV Registry as required for his work. PHOTO: ST FILE

SINGAPORE - Before 2012, staff of the National Public Health Unit (NPHU) were allowed to use personal thumb drives to download the HIV Registry to carry out their work such as routine data entry, contact tracing and analysis.

This was because the Registry was then placed in a secured network drive, which meant the file could only be accessed and downloaded from government-issued computers, and was password-protected.

As the NPHU head then, Singaporean doctor Ler Teck Siang had the authority to access information in the HIV Registry as required for his work.

This was revealed by Health Minister Gan Kim Yong in Parliament, while answering questions from MPs regarding the purpose and safeguards of the HIV Registry.

Ler is believed to have downloaded confidential information from the HIV Registry into a thumb drive, and then failed to retain possession of it.

He has since been charged under the Official Secrets Act (OSA) for mishandling the information.

Ler's American partner - Mikhy Farrera Brochez - was found to have access to the confidential HIV-related data since May 2016. Brochez also sent some of the records to his mother as well as to several government authorities.

On Jan 22 this year, he posted online the information from the entire HIV Registry, prompting the MOH to disclose the data breach and triggering public concerns about the level of data security and safeguards on staff access to confidential information.

In Parliament on Tuesday, Mr Gan said the security safeguards for the HIV Registry in 2012 and 2013 were in accordance with prevailing government policies on classified information and IT security at that time.

"Staff were briefed on the policies, systems and processes, and regularly reminded of the sensitivity of the information, which they should access on a need-to-know basis," he said.

"All of them signed an undertaking to observe confidentiality obligations under the OSA."

Mr Gan said Singapore is not unique in having such a registry containing information of people diagnosed with HIV, citing other countries such as the United States and Canada which have similar databases.

He explained that the information is used to monitor the HIV infection situation, conduct contact tracing and assess disease prevention and management measures.

"The data needs to be identifiable for purposes such as contact tracing to protect those who are contacts of HIV patients," said Mr Gan.

He explained that the HIV Registry database had been migrated to a network-based system in 2012, even before the complaint from Brochez in November 2012 to MOH that Ler had shared screenshots of his HIV status with others.

NPHU staff no longer had to download a database file from a network drive, password-protected and accessible only from government-issued computers.

They could instead retrieve records from the network-based system, enhancing the audit trail, said Mr Gan. In 2014, alerts of multiple failed log-in attempts were added to the system.

"MOH continues to follow the security policies from the Singapore Government Instruction Manual for the Security of Classified Info. In tandem with the Government guidelines, we implemented several controls to tighten our systems," said Mr Gan, in response to Mr Seah Kian Peng's (Marine Parade GRC) question on additional measures taken to ensure data security.

The NPHU system was further strengthened in 2016, following a data security review by MOH's Chief Data Officer.

Downloading and decrypting HIV Registry data now requires approval from the Director of the Communicable Diseases Division or higher, with a two-person approval process to ensure information cannot be accessed by a single person.

A dedicated workstation for handling data from the HIV Registry was also set aside and locked down to prevent unauthorised data removal.

In 2017, the unit complied with government-wide policy to disable the use of unauthorised portable storage devices on official computers, and only allow use of authorised and encrypted thumb drives, said Mr Gan.

Moving forward, he said a Data Analytics Group had been set up in April last year, to focus on data usage and safeguards.

Within the group is a six-person Data Governance Division which formulates policies, practices and guidelines for MOH and its agencies.

Mr Gan said that MOH will "expand the role and resourcing of this unit", and task it with a specific mandate and team to look into the compliance and audit of data access and use.

"The aim is to protect and secure access to health sector data, in accordance with data protection requirements in the Government Instruction Manuals and Personal Data Protection Act, and other MOH sectoral legislation," said Mr Gan.

He added that in the light of the HIV Registry leak, and the increased use of data across the healthcare sector, having staff adhere to data security and governance policies is crucial.

"A policy is as good as how much it is practised on the ground and, therefore, it's important for us to make sure that they have practised what the policy requires," he said.

As for the recruitment of staff handling sensitive information, Mr Gan said there is "no foolproof system" as the integrity of a person can only be proven over time.

Join ST's Telegram channel and get the latest breaking news delivered to you.