Data of 14,200 with HIV leaked online: What you need to know about the case

Ler Teck Siang (left) and Mikhy Farrera Brochez are at the centre of a high-profile data breach in the healthcare sector that came to light on Jan 28, 2019.

SINGAPORE - The Ministry of Health (MOH) said on Monday (Jan 28) that confidential information of 14,200 people diagnosed with HIV was leaked online.

Here's what you need to know about the case.

1. What information was disclosed?

The details that have been leaked from the HIV Registry's records include those of 5,400 Singaporeans and permanent residents diagnosed with HIV up to January 2013, and 8,800 foreigners diagnosed up to December 2011.

This included each person's name, identification number, phone number, address, HIV test results and related medical information.

The name, ID number, phone number and address of 2,400 people identified through contact tracing up to May 2007 were also included.

2. Who leaked the information?

The information was held and leaked by Mikhy Farrera-Brochez, 33, a male US citizen who was in Singapore on an employment pass between January 2008 and June 2016.

In March 2017, he was sentenced to 28 months in jail for fraud and drug-related offences, including lying to the Ministry of Manpower about his own HIV status. Farrera-Brochez, who was HIV-positive, was found to have used his boyfriend's blood for an HIV test to apply for an employment pass to stay in Singapore. He later worked as a polytechnic lecturer.

He was deported from Singapore upon completing his sentence in April 2018.

3. How did Farrera-Brochez get hold of the information?

Farrera-Brochez's partner was Ler Teck Siang, a male Singaporean doctor who was head of MOH's National Public Health Unit from March 2012 to May 2013.

Ler, 36, had the authority to access information in the HIV Registry for his work.

Ler, who is still a registered doctor but cannot practise medicine in Singapore, has been charged under the Official Secrets Act (OSA) for failing to take reasonable care of confidential information regarding HIV-positive patients.

In September 2018, Ler was convicted of abetting Farrera-Brochez to commit cheating and of providing false information to the police and MOH. He has appealed against the 24-month sentence.

4. When did MOH find out about the leak?

In May 2016, MOH received information that Farrera-Brochez held confidential details which appeared to be from the HIV Registry. A police report was made.

Farrera-Brochez and Ler's properties were searched, and all relevant material found then were seized by the police.

In May 2018, after Brochez was deported, the ministry received information that he still had part of the records he had in 2016. MOH filed a police report, and notified those affected. At the time, the records did not appear to have been disclosed publicly. MOH made a police report and contacted the affected people to notify them.

Last Tuesday (Jan 22), the ministry was notified by police that confidential information from the HIV Registry could be in Farrera-Brochez's possession, and had been leaked online.

5. Where is Farrera-Brochez now?

He is currently not in Singapore, and MOH was unable to comment further on Monday as the police are investigating the case.

The police are investigating him for various offences, and the authorities are seeking assistance from their foreign counterparts.

6. Has MOH contacted those affected by the leak?

Of the 5,400 Singaporeans and PRs affected, 1,900 have died and 3,500 are still living.

MOH said more than 1,000 of the 3,500 have been successfully contacted as of 4pm on Monday.

According to the ministry, a large number of the foreigners are no longer in Singapore.

7. What has MOH done to prevent future leaks?

The ministry had put in place additional safeguards against mishandling of information by authorised staff since 2016.

These measures include:

- A two-person approval process to download and decrypt information from the HIV Registry. This process ensures that the confidential details cannot be accessed by a single person.

- A workstation was specifically configured and locked down to prevent unauthorised removal of information. It was also used for processing sensitive information from the HIV Registry.

- The use of personal storage devices on official computers was disabled in MOH in 2017, as part of a government-wide policy.

On Monday, MOH said that it will continue to regularly review its systems to ensure they remain secure and that the necessary safeguards are in place.

Join ST's Telegram channel and get the latest breaking news delivered to you.