Before 2012, staff of the National Public Health Unit (NPHU) were allowed to use personal thumb drives to download the HIV Registry to carry out their work such as routine data entry, contact tracing and analysis.
This was because the registry was placed then in a secured network drive, which meant the file could be accessed and downloaded only from government-issued computers, and was password protected.
This was revealed by Health Minister Gan Kim Yong in Parliament when answering questions from MPs regarding the purpose and safeguards of the HIV Registry.
As the NPHU head then, Singaporean doctor Ler Teck Siang had the authority to access information in the HIV Registry as required for his work. He is believed to have downloaded confidential information from the HIV Registry onto a thumb drive, and then failed to retain possession of it.
Ler has since been charged under the Official Secrets Act (OSA) for mishandling the information.
On Jan 22, his American partner - Mikhy Farrera Brochez - posted online the information from the entire HIV Registry, prompting the Ministry of Health (MOH) to disclose the data breach and triggering concerns about the level of data security and safeguards on staff access to confidential information.
In Parliament yesterday, Mr Gan said the security safeguards for the HIV Registry in 2012 and 2013 were in accordance with prevailing government policies on classified information and IT security at that time. He said staff were briefed on the policies, systems and processes, and regularly reminded of the sensitivity of the information that they should access on a need-to-know basis.
"All of them signed an undertaking to observe confidentiality obligations under the OSA," he added.
Mr Gan said the HIV Registry database had been migrated to a network-based system in 2012 even before the complaint from Brochez in November 2012 that Ler had shared screenshots of his HIV status with others.
NPHU staff no longer had to download a database file from a network drive, password-protected and accessible only from government-issued computers. They could instead retrieve records from the network-based system, enhancing the audit trail, said Mr Gan. In 2014, alerts of multiple failed log-in attempts were added to the system.
He added that the NPHU system was further strengthened in 2016 following a data security review by MOH's chief data officer.
Downloading and decrypting HIV Registry data now requires approval from the director of the Communicable Diseases Division or higher, with a two-person approval process to ensure information cannot be accessed by a single person.
A dedicated workstation for handling data from the HIV Registry was also set aside and locked down to prevent unauthorised data removal.
In 2017, the unit complied with government-wide policy to disable the use of unauthorised portable storage devices on official computers, and allow only the use of authorised and encrypted thumb drives, said Mr Gan.
Moving forward, he said a data analytics group had been set up in April last year to focus on data usage and safeguards. Within the group is a six-person Data Governance Division which formulates policies, practices and guidelines for MOH and its agencies.
Mr Gan said MOH will "expand the role and resourcing of this unit", and task it with a specific mandate and team to look into the compliance and audit of data access and use.
He added that in the light of the HIV Registry leak, and the increased use of data across the healthcare sector, having staff adhere to data security and governance policies is crucial. However, Mr Gan also said there is "no foolproof system" as the integrity of a person can only be proven over time.