COMMENT: HIV data leak – what is your excuse now, MOH?

Health Minister Gan Kim Yong. PHOTO: Screengrab from Gov.sg YouTube channel
Health Minister Gan Kim Yong. PHOTO: Screengrab from Gov.sg YouTube channel

Another day, another data breach at the Ministry of Health (MOH). Barely three weeks after it accepted a Committee of Inquiry’s (COI) recommendations for improving cybersecurity, MOH revealed another staggering leak: that the personal details of 14,200 HIV-positive patients have been disclosed online by an American conman.

This marks three major incidents under Health Minister Gan Kim Yong’s watch: the Hepatitis C outbreak at Singapore General Hospital (2015), the massive SingHealth cyberattack that compromised the personal details of 1.5m patients (2018) and now this. In what has become a familiar ritual, Gan’s textbook apology on Tuesday (28 January) rang hollow, now that the genie has been let out of the bottle.

Following the release of the COI report on 9 January, an MOH spokesman had said, “Patient wellbeing is our top priority. This includes safeguarding the confidentiality of patient data…we are committed to safeguarding patient data.”

Perhaps in its new-found zeal for protecting patient data, the Ministry somehow forgot that American Mikhy K Farrera Brochez, who was in Singapore between January 2008 and June 2016 on an employment pass, had illegally possessed the HIV-positive data in its Registry. He was in a relationship with Singapore doctor Ler Teck Siang, the head of MOH’s National Public Health Unit who had authority to access information in the HIV Registry.

Which brings us to the first question, one that was also asked in the aftermath of the SingHealth fiasco: why was the public not informed earlier? MOH first lodged a police report on Brochez in May 2016 when it became aware that he might be in possession of confidential information from the HIV Registry. It started informing affected patients two years later when it found out that the American might still be holding on to some of the data.

After making another police report last Wednesday, it then began informing more affected individuals from Saturday and disabled access to the information. Was this another instance of a “piecemeal and inadequate” response, as Solicitor-General Kwek Mean Luck labeled the initial response to the SingHealth cyberattack? There are many gaps in the information MOH has released. What else has it not told the public?

The spectre of HIV

The next issue at hand: what legal redress or protections do the affected patients have? 34 years after the first HIV-positive case was reported in Singapore and despite huge medical advancements in treating it, the stigma of the disease remains very real. It is no exaggeration to say that the disclosure of an HIV-positive status could ruin lives, end careers, and destroy relationships.

With the information online – including names, IC numbers and contact details – there is nothing to stop anyone from posting the data on social media accounts or online forums. Will MOH be liable if say, someone were to lose his job as a result of the illegal disclosure? Given that employers typically do not need to disclose the reasons when giving employees notice, this scenario is a distinct possibility.

What about individuals who end up ostracised by family and friends? Will MOH be responsible for the emotional distress this causes them and their loved ones?

It is not just about the 14,200 patients. The collateral damage from this incident extends beyond them.

Data protection

Last of all: what guarantees do we have that confidential patient data is, at the very least, being rigorously safeguarded by MOH?

Under the Infectious Diseases Act, all medical staff are required to inform MOH of a confirmed case of HIV within 72 hours of diagnosis. And while there is anonymous testing, patient registration with MOH is mandatory during treatment.

This is all highly sensitive and confidential data that is entrusted to MOH by law, and it failed in its duty of care. While it is unreasonable to expect foolproof cybersecurity in this day and age, it does not take a medical degree to point out that Brochez was hardly a “skilled and sophisticated threat actor” like the SingHealth cyberattacker.

MOH’s statement is even more infuriating, “While access to the confidential information has been disabled, it is still in the possession of the unauthorised person, and could still be publicly disclosed in the future. We are working with relevant parties to scan the Internet for signs of further disclosure of the information.’’

Meaning that Brochez, who was deported from Singapore in 2017, can release more information any time he pleases.

After the two data leaks, MOH’s credibility is in tatters. Gan’s promise on Monday to “continue to strengthen and to review our systems to ensure they are secure” does not cut it. It is barely an adequate response.

MOH states that its staff embody six core values: dedication, excellence, professionalism, integrity, care & compassion, and teamwork. The HIV data scandal has called into question these values. The country’s international reputation is at stake – MOH must do better.

Related stories:

COMMENT: SingHealth cyberattack throws up leadership issue