14k HIV+ records leaked, Singapore says sorry

For the second time in seven months, Singapore has lost control of its citizens’ private medical records. This time, it’s the records of people diagnosed with HIV.

The Ministry of Health (MOH) on Monday announced that police had alerted the ministry that the HIV status of 14,200 people, plus confidential data of 2,400 of their contacts, is in the possession of somebody who’s not authorized to have it and who’s published it online.

The records were those of 5,400 Singaporeans diagnosed with HIV up to January 2013 and of 8,800 foreigners diagnosed with HIV up to December 2011. They included names, identification numbers, phone numbers, addresses, HIV test results, and related medical information. Also included were names, identification numbers, phone numbers and addresses of 2,400 of the patients’ contacts.

The MOH has been notifying, and offering help to, affected people since Saturday. The ministry says that it’s also worked with “relevant parties” to disable access to the records.

However, whoever published the confidential records still has them, so they could be published yet again. The ministry is scanning the internet for signs of further disclosure.

The MOH didn’t specify whether the sensitive information had been seized in a cyberattack or whether the US man it suspects of having the records got his hands on them some other way.

Regardless of the “how,” the ministry thinks it knows the “who.”

It’s accusing two men: the one who it says possesses, and who allegedly published, the HIV records is Mikhy K. Farrera Brochez. Brochez is a male US citizen who was living and working in Singapore from January 2008 until June 2016, when he was arrested. In March 2017, Brochez was convicted of fraud and drug-related offenses and sentenced to 28 months in prison.

The fraud offense relates to Brochez lying about having HIV to the Ministry of Manpower so that he could work. Singapore in the past banned and blacklisted foreigners with HIV from working, though it amended that regulation in 2015 to allow holders of short-term visit passes who have HIV to enter.

Brochez was also convicted for furnishing false information to the police during a criminal investigation, and using forged degree certificates in job applications. When he finished his prison sentence, he was deported, though the ministry didn’t say where he was sent.

The other man who the ministry says was responsible for what would ultimately be the doxxing of the HIV records was Brochez’s then-boyfriend and current spouse, a male Singaporean doctor named Ler Teck Siang. Ler, who headed up MOH’s National Public Health Unit (NPHU) from March 2012 to May 2013, had access to, and responsibility for the safekeeping, of the HIV Registry.

Two years after Ler resigned in January 2014, he was charged with failing to take reasonable care of HIV records, of helping Brochez to pull off his fraud, and of lying to the police and the MOH.

According to Channel News Asia, Ler also helped Brochez by supplying his own blood for government tests. Ler was sentenced to two years in jail in September 2018 – a sentence that he’s now appealing.

The MOH said that it filed a police report in May 2016 after learning that Brochez was in possession of confidential information that appeared to be from the HIV Registry. Police searched his, and Ler’s, properties. But it wasn’t until after Brochez had been deported that the MOH learned that Brochez still had part of the HIV records that he’d had, but apparently hadn’t yet doxxed, two years prior.

That brings us up to last Tuesday, 22 January, when the MOH got a heads-up about Brochez potentially still having data from the HIV registry… information that, this time around, he allegedly published online.

Singaporean police are currently looking for assistance from unspecified foreign countries as they continue to investigate Brochez. The ministry is appealing to the public: if anybody comes across related information, please don’t share it, the MOH asks.

The second medical records pratfall

The last time Singapore suffered a medical-records pratfall was in July 2018, when 1.5 million patients’ records – including that of Prime Minister Lee Hsien Loong – were seized and illegally copied in a malicious cyberattack on the databases of the city state’s SingHealth hospital group.

A committee of inquiry published its report into the hack earlier in January, saying that the attacker(s)’ success in obtaining and exfiltrating the records wasn’t inevitable. From the report:

IHiS and SingHealth should have been better prepared and more robust in their actions. If they had done so, the cyber-attack could have been limited or even stopped.

The inquiry found that staff had inadequate cybersecurity awareness, training, and resources; that there were a number of vulnerabilities, weaknesses, and misconfigurations in the SingHealth network and database system that could have been remediated before the attack; and that SingHealth “had no management line of sight with regard to the assessment of cybersecurity risks.”

Although it’s not clear that a cyberbreach took place in the doxxing of the HIV records – the records could have been in paper form, for all we know – the government’s assessment of the SingHealth breach makes clear that there were ample vulnerabilities and lack of preparedness that could allow breaches to happen.

That’s the core problem of any potential breach: without the right precautions in place, you have little choice but to assume the worst. Even if nothing “cyber” actually led to the HIV records being breached, it sounds as if the fruit was ripe for the cyber plucking.