Singapore's HIV data leak: 5 burning questions to ask MOH and others
Two days after Singapore’s Ministry of Health (MOH) publicly announced that there had been a massive leak of confidential data from its HIV Registry some two-and-a-half years earlier and worse, that the data had appeared online, burning questions still remain over the scandal.
To briefly recap the background of the case: In 2016, MOH got to know that American fraudster Mikhy K Farrera Brochez had data from the HIV Registry.
He was convicted of numerous crimes in early 2017 and was sentenced to 28 months’ jail. He was deported in April last year after serving his sentence.
Brochez, 34, was a partner of Ler Teck Siang, 37, who headed MOH’s National Public Health Unit from March 2012 to May 2013 with access to the HIV Registry.
Ler was sentenced to two years’ jail last year for abetting Brochez to commit cheating, and also of providing false information to the police and the health ministry. He is appealing against conviction and sentence, while the prosecution is appealing for a higher sentence.
In May 2018, after Brochez’s deportation, MOH got to know that Brochez still had the confidential data but which it said had not been disclosed publicly. On 22 January this year, it was notified that the data had gone online.
The data included the HIV-positive status of 14,200 people, along with their names, identification numbers and contact details. The medical records belonged to 5,400 Singaporeans diagnosed with HIV since 1985 up to January 2013, as well as 8,800 foreigners – including work and visit pass applicants and holders – diagnosed with the disease up to December 2011.
Yahoo News Singapore has also compiled a timeline to help readers follow what we know of the scandal so far.
Apart from questions over a belated disclosure of the 2016 data breach, along with those over privacy and data protection, here are some burning questions that remain unanswered:
1. Were the authorities thorough in efforts to secure leaked data?
Police investigators searched both the properties of Brochez and Ler in May 2016, and found and secured what they termed to be “relevant material”.
But did investigators also ascertain that neither party had stored the confidential information in some form or other, including online, a storage device such as a USB flash drive or on a cloud-based platform?
Given the sensitive nature of the HIV Registry – the Infectious Diseases Act protects the identity of HIV patients – did investigators accord due weight to the nature of the confidential data?
2. Why wasn’t Brochez prosecuted under the Official Secrets Act?
Brochez got hold of the data via his partner Ler, although we don’t quite know whether the latter was a willing or unwitting accomplice.
Ler has been charged under the Official Secrets Act (OSA), for failing to take reasonable care of confidential information regarding HIV-positive patients. The OSA case is pending before the courts.
Under the Act, it is also a crime to be in possession and retention of any confidential government information.
Given that the authorities – both MOH and the police – knew as far back as May 2016 that Brochez was in possession of data from the HIV Registry, was he duly investigated for possible offences under the OSA? Was prosecution under the Act against Brochez warranted as such? If so, why wasn’t he prosecuted for the data breach before he was deported in April last year?
3. Why was Brochez in possession of confidential data?
Ler apparently transferred the HIV Registry data onto a USB flash drive at some point during his tenure as head of MOH’s National Public Health Unit from March 2012 to May 2013.
Although he had authority to access the information as required for his work, why was he able to download and transfer confidential data protected under the law?
And why did Ler download and transfer the data? What was his motive in doing so? Did Ler communicate with Brochez about the data transfer? To what extent was Brochez involved in the data transfer?
4. Were due diligence checks conducted on Brochez’s educational claims?
Brochez was granted an employment pass in March 2008, having submitted not just a false HIV test, but also forged academic certificates. And he worked as a lecturer in early childhood studies and psychology at Temasek Polytechnic.
He even duped local tabloid The New Paper, claiming to have been a child prodigy, spinning tales that might have rivalled those of famous trickster Frank Abagnale, Jr., whose life story was captured in the movie Catch Me If You Can.
Brochez’s ploy to dupe the authorities unravelled, however, when police investigators found his bogus academic certificates in May 2016.
How was it possible that Brochez, using forged university degrees, got hold of an employment pass from the Ministry of Manpower and worked for Temasek Polytechnic?
Did MOM and TP conduct due diligence and sufficient background checks on Brochez’s purported qualifications and the documents which he submitted?
5. What kind of assistance is the police seeking?
MOH has said that Brochez is currently under police investigation and that the Singapore authorities are seeking assistance from their foreign counterparts. What specific assistance are the authorities seeking from their counterparts?
Brochez is reportedly living in Kentucky, the US, according to documents seen by Yahoo News Singapore.
Given that Singapore and the US have a bilateral extradition treaty, and that MOH has fingered Brochez to be the perpetrator behind the massive leak of confidential data from its HIV Registry, are the Singapore police seeking for him to be extradited here to once again face prosecution?
HIV-positive status of 14,200 people leaked online by American fraudster: Singapore MOH
Action for AIDS: ‘Deeply troubled’ by HIV data leak, potential damage to lives of affected persons
HIV data leak: MOH has plenty of explaining to do
COMMENT: HIV data leak – What is your excuse now, MOH?
Government should enact anti-discrimination legislation to support people living with HIV: Pink Dot