Data of 14,200 people with HIV leaked online by American fraudster:MOH

[SINGAPORE] Confidential information of 14,200 people with HIV, including their names, contact details and medical information, has been stolen and leaked online, and the culprit is an American fraudster, the Ministry of Health revealed on Monday (Jan 28).

Mikhy Farrera-Brochez, the man behind the leak, lived in Singapore from 2008 onward before being jailed in 2017 for several fraud and drug-related offences and lying to the Ministry of Manpower about his own HIV status.

His partner was Ler Teck Siang, a male Singapore doctor who was head of MOH's National Public Health Unit (NPHU) from March 2012 to May 2013 and had access to the HIV Registry for his work. He has been charged under the Official Secrets Act for failing to take reasonable care of confidential information regarding HIV-positive patients.

The records that have been leaked include those of 5,400 Singaporeans diagnosed with HIV up to January 2013, and 8,800 foreigners diagnosed up to December 2011, MOH said at a press conference at the College of Medicine Building.

This included each person's name, identification number, phone number and address, HIV test results and related medical information. The name, identification number, phone number and address of 2,400 people identified through contact tracing up to May 2007 was also included.

"We are sorry for the anxiety and distress caused by this incident," said the ministry in a statement.

"Our priority is the well being of the affected individuals," it added, saying that it has been contacting affected individuals to inform and help them since Saturday (Jan 26), and that it has worked with relevant parties to disable access to the information.

However, the information is still in the hands of Farrera-Brochez, who was deported after he had served his jail term. He currently remains outside Singapore.

It came to light on Monday that Farrera-Brochez, who was HIV-positive, had not only used his boyfriend's blood to pass blood tests so he could work in Singapore, but that he had also got hold of information illegally from the HIV registry which his doctor boyfriend had access to.

The latest breach, while not due to a cyber attack, comes after Singapore's worst cyber attack in 2018. From June 27 to July 4 last year, hackers infiltrated the computers of SingHealth and stole the personal particulars of 1.5 million patients, including Prime Minister Lee Hsien Loong.

Farrera-Brochez, 33, who was a polytechnic lecturer here and held an employment pass, was sentenced to 28 months in jail in 2017 for offences including cheating and possession of drugs.

Farrera-Brochez's boyfriend, Singaporean doctor Ler, 36, had submitted his own blood sample in place of the American's to help him get an employment pass here. Ler, who is still a registered doctor, has been sentenced to two years in jail, and is appealing.

The ministry said it was notified of the breach by the police last Tuesday (Jan 22), and made a police report the following day (Jan 23).

Since 2016, it noted, additional safeguards against mishandling of information by authorised staff have been put in place, including a two-person approval process to download and decrypt information.

MOH stressed that it will continue to regularly review its systems to ensure they remain secure and that the necessary safeguards are in place.

It appealed to the public to notify the ministry immediately if they came across information related to the incident, and not to share it. Those with information or concerns can call the MOH hotline on 6325-9220.

THE STRAITS TIMES