[BreachExchange] Singapore says personal details of 14, 200 HIV patients were posted online

Tue Jan 29 00:50:58 EST 2019

https://techcrunch.com/2019/01/28/singapore-14200-hiv-patient-details-online/

For the second time inside a year, private health information
belonging to people in Singapore has been compromised.

Following a hack disclosed last summer that affected the patient
records of up to 1.5 million citizens, Singapore’s Ministry of Health
revealed today that personal details and the HIV-positive status of
14,200 people were posted online by a convicted fraudster.

Unlike last year’s data breach — which was caused by what appears to
be a targeted cyberattack — the details this time around were exposed
by unauthorized access to the ministry’s HIV Registry, which occurred
in person.

Mikhy K. Farrera-Brochez, a U.S. citizen who spent more than eight
years in Singapore before being deported last year over fraud and
drug-related offences, is said to have posted the information on the
internet after he gained access to it via his partner Ler Teck Siang,
a doctor who once led the Ministry of Health’s National Public Health
Unit.

It isn’t clear where the details were posted, but the ministry said
access to the leak has been “disabled.” However, since Farrera-Brochez
is believed to have retained details in person, it is entirely
possible that they may appear again. In a bid to mitigate that threat,
the Singapore government is “working with relevant parties to scan the
Internet for signs of further disclosure of the information” and is
“seeking assistance from… foreign counterparts.”

“We are sorry for the anxiety and distress caused by this incident.
Our priority is the wellbeing of the affected individuals. Since 26
January, we have been progressively contacting the individuals to
notify them and render assistance,” the ministry wrote in an
announcement.

It urged anyone who comes into contact with the information to turn it
in and “not further share it.”

The registry lists the name, ID number, phone number, email address,
HIV test results and related medical information for 5,400 Singapore
nations who were diagnosed with HIV up to January 2013. It includes
the same details for 8,800 foreigners as of December 2011, and the
details of 2,400 related contacts up to May 2007.

The government introduced system safeguards in September 2016 to limit
the potential for rogue access to the data. That included a two-person
approval process for data downloads, a dedicated workstation to
prevent unauthorized access and the disabling on portable storage
devices that could be used to transport information.

Police were first alerted that Farrera-Brochez was in possession of
the data in May 2016. It wasn’t until two years later that they were
told that he had retained the information. Despite an investigation,
they learned Farrera-Brochez had disclosed the details online just
over one week ago.

Farrera-Brochez is currently located outside of Singapore. He worked
in the country between 2008 and 2016, but was charged for faking his
HIV test result using Ler’s blood and using fake qualifications to
earn a work permit. After completing a two-year sentence, he was
deported in May 2018

Ler is waiting on an appeal after he was handed a two-year jail term
for abetting Farrera-Brochez, providing false information to
authorities and failing to take care of confidential information.