HIV data leak: MOH has plenty of explaining to do

(Photo: Pixabay)

So, when the personal particulars of 1.5 million people were hacked, we’re told immediately and the spectre of a state-sponsored cyber attack was raised. They even dared to dig into the Prime Minister’s medication records! But, hey, never mind your personal data, they’re not of any commercial value anyway.

The key takeaway was that Singapore is in the gunsights of mischievous, mysterious beings and we should batten down the hatches, like have a more complicated password to our computer.

What about the personal particulars of 14,200 HIV patients being in the possession of someone unauthorised, and worse, leaked online? What weight or public attention should be given to this?

I was reading all the media reports today, including the Health ministry’s statement, and I would describe it as the unveiling of a horror story. Someone has a list of HIV-positive people here, and can blast the details online for family, friends, employers and total strangers to see. The list includes particulars of some 2,400 “contacts” as well, who are, presumably, people they slept with. This includes their phone numbers.

In a case of closing the barn door after the horse has bolted, MOH made much of “working with relevant parties to disable access to the information”. I guess this is about working with social media companies and tech giants to stamp out signs of publication.

It added: “While access to the confidential information has been disabled, it is still in the possession of the unauthorised person, and could still be publicly disclosed in the future. We are working with relevant parties to scan the Internet for signs of further disclosure of the information.”

In other words, whatever information that has appeared in the public domain has been scrubbed out, but there’s no guessing when more will pop up later.

Which all looks well and good until you start reading about the circumstances of the “leak”. We’re told that the authorities had been led on a merry dance by American Mikhy K Farrera Brochez, 33, who obtained an employment pass to work here in January 2008 – despite being HIV-positive. His HIV test came back positive at a SATA clinic at first, but his partner, Ler Teck Siang, a doctor, connived with him to dupe the authorities.

It’s not clear what happened to the SATA clinic results, but Brochez took a second test at a Commonwealth clinic where Ler was practicing as a locum. That’s when they swapped blood samples and Brochez got his employment pass. In 2011, he obtained a “personalised” employment pass.

In the next few years, he taught at Temasek polytechnic using forged credentials, and even set up a child psychology practice. He enjoyed fame when The New Paper featured him in 2010, as a child prodigy who enrolled in Princeton University in the United States at 13, who could converse in eight languages and had numerous awards to his name. The article was headlined “He didn’t know he was gifted”.

You can starting counting the number of agencies he duped during his stay here.

Then in October 2013, someone seemed to have tipped off the Manpower ministry about Brochez’s HIV status. It had to do with the original SATA data re-surfacing. MOM wanted to cancel his permit but the fraudster said he could provide proof that he did not have HIV. So the couple, who were living together, repeated the blood swapping exercise. MOM was duped again.

Note that from March 2012 to May 2013, Ler was head of the MOH’s National Public Health Unit. MOH thinks it was during this period that Ler accessed the records. Maybe to check if his partner cleared the test? Maybe he uploaded the data into a thumb drive?

In May 2016, however, things started unraveling for the couple. Brochez was found guilty of possession of a ketamine and cannabis mixture, and investigations revealed that his educational certificates were forged and he had lied to the authorities about his HIV status. He served 28 months in jail and was deported upon release in April last year.

As for Ler, he was in even deeper trouble.

To cite the MOH statement:

He was charged in Court in June 2016 for offences under the Penal Code and the Official Secrets Act (OSA). In September 2018, Ler was convicted of abetting Brochez to commit cheating, and also of providing false information to the Police and MOH. He was sentenced to 24 months’ imprisonment. Ler has appealed, and his appeal is scheduled to be heard in March 2019. In addition, Ler has been charged under the OSA for failing to take reasonable care of confidential information regarding HIV-positive patients. Ler’s charge under the OSA is pending before the Courts.

It isn’t clear if additional OSA charges were levelled against him or whether this was the 2016 charge.

But what the MOH said later was even more intriguing.

In May 2016, MOH had lodged a Police report after receiving information that Brochez was in possession of confidential information that appeared to be from the HIV Registry. Their properties were searched, and all relevant material found were seized and secured by the Police.

Nothing has been made public about the confidential information in his possession – nor about the “relevant material” seized.

All was quiet until two years later.

In May 2018, MOH received information that Brochez still had part of the records he had in 2016. The information did not appear to have been disclosed in any public manner. MOH lodged a police report, and contacted the affected individuals to notify them.

What an exercise in ambiguity! What did the authorities do at this stage to plug the leak? What does “any public manner” mean? Apparently, it is not through online channels. Did he attempt blackmail? And how many affected individuals were there? At this point in time, did the authorities still believe there was no need to make public the news that some information had been stolen?

In any case, in this same year, coincidentally, MOH instituted additional safeguards, including a two-person approval process to download and decrypt information, against mishandling of information by authorised staff. It also disabled the use of unauthorised portable storage devices on official computers in 2017, “as part of a government-wide policy”.

I don’t how else to describe the above except to use the term “cover-up”.

According to ST, Mr Chan Heng Kee, permanent secretary at the MOH, said the ministry looks at “several factors” before deciding if it should go public. Besides patients’ interest and well being, there was whether the information was secured or publicly disclosed.

“Whether there is a continuing risk of the information being exposed even if we were able to secure. And also the concerns that individuals might have, should the incident be made public.”

He also said: “Certainly in the case where the information has been contained, we would take a more conservative approach.” (And would that have been what exactly?)

The other reason, he said, is that more than half those affected – about 8,000 – are foreigners who will be difficult for the ministry to contact.

I find the above answer astonishing. The excuse is, it’s to difficult to do, so we didn’t see the need to contact everyone. Or is MOH worried about litigation by litigious foreigners? I also cannot understand how it is NOT in the patient’s interest to warn them that someone might have stolen their data and might use it against them.

Is that why the OSA charges against Ler haven’t been heard in court yet? It’s been pending for at least two years. MOH didn’t want the news out before it secured everything?

Parliament is sitting on Feb 11. Again, I hold the forlorn hope that some hard questions will be raised by Members of Parliament.

I have had enough of officials telling us when they should give information that affects people or what sort of information should be made public. I have also had my fill of people who say we don’t have to know everything, and that we should let the G handle everything.

I think our brain should work more than once in every four or five years.

 

Related:

HIV-positive status of 14,200 people leaked online by American fraudster: Singapore MOH

Action for AIDS: ‘Deeply troubled’ by HIV data leak, potential damage to lives of affected persons

US citizen leaks data on 14,200 people in Singapore with HIV