The records breach of HIV-positive individuals is the latest in a string of data breaches at Singapore’s Ministry of Health
Health records in Singapore have been finding their way out of their “secure” storage and into the public domain of late. First, it was 1.5 million records from the Ministry of Health in July 2018, and now we learn that the city-country’s database of HIV-positive individuals (5,400 Singaporeans, 8,800 foreigners and 2,400 individuals identified through contact) now resides in the hands of U.S. citizen Mikhy K. Farrera-Brochez, who resided in Singapore between 2008 and 2018 and is currently believed to be in the United States.
The Ministry of Health noted Jan. 22 that the information from the HIV registry database was being disclosed online, which it disabled access to Jan. 25.
How Did Farrera-Brochez Come to Possess This Sensitive Database?
Farrera-Brochez’s partner, Dr. Ler Teck Siang, was head of the Ministry of Health’s National Public Health Unit from March 2012 through May 2013 and had natural access to the HIV registry. Farrera-Brochez, who is HIV-positive, falsified his blood tests by using Siang’s blood to obtain his residency/work permit. It is believed that Siang copied the HIV registry during his period of employment within the Ministry of Health, which ended when he resigned in January 2014.
Farrera-Brochez was arrested, tried and sentenced to prison for the blood-swap fraud. He was then deported in May 2018 following a 28-month stay in prison. A public records search reveals he was in the United States—Clark County, Kentucky, sheriff’s office records show Farrera-Brochez was arrested Dec. 8, 2018, for criminal trespassing.
Interestingly, the Singaporean authorities knew in 2016 that Farrera-Brochez was in possession of the compromised information. According to the Ministry of Health’s statement, they believed the information had been recovered when police conducted a search of Ler’s and Farrera-Brochez residence. But, in May, after his deportation, they discovered that Farrera-Brochez had secreted a copy of the HIV registry in an undisclosed manner and he continued to possess the sensitive data.
What Has Been Compromised?
According to the Ministry of Health, the records breach included 5,400 Singaporeans diagnosed with HIV up to January 2013 and 8,800 foreigners diagnosed with HIV up to December 2011. “The information included their name, identification number, contact details (phone number and address), HIV test results and related medical information. The name, identification number, phone number and address of 2,400 individuals identified through contact tracing up to May 2007 were also included.”
Protect What You Collect
From an infosec perspective, Singapore is having a difficult six months as the Ministry of Health when it comes to records breaches.
The July 2018 cyberattack on the ministry resulted in the compromise of 1.5 million patient records, which included Prime Minister Lee Hsein Loong’s records. The unidentified hackers harvested medical files dating from May 1, 2015, through July 4, 2018. Put differently, the country has 5.4 million residents; the records of more than 27 percent of the population were breached.
The Cyber Security Agency of Singapore believed that the attack occurred between June 27 and July 4, 2018.
The 2016 theft of the HIV registry by Siang would have been difficult to prevent, given he had regular authorized access to the registry as part of his normal duties. That is to say, he wasn’t venturing outside of his swim lane in acquiring the information.
The fact that the Ministry of Health and, by extension, the law enforcement entities had two bites at the apple to recover the information obtained by Siang and Farrera-Brochez and were unsuccessful at recovering all copies of the data is regrettable. Given the multitude of avenues by which the information could have been hidden, not finding all copies is not surprising.
No doubt, Farrera-Brochez will once again be visited by law enforcement.