SINGAPORE — Additional safeguards against the mishandling of information by authorised staff have been put in place since 2016, the Ministry of Health (MOH) said on Monday (Jan 28), after it revealed that confidential information of 14,200 individuals diagnosed with the human immunodeficiency virus (HIV) and over 2,000 others has been leaked.

The ministry said a two-person approval process to download and decrypt registry information was implemented in September 2016 to ensure that the information cannot be accessed by a single individual.

In addition, a workstation specifically configured and locked down to prevent unauthorised information removal was designated for the processing of sensitive information from the HIV Registry.

It also disabled the use of unauthorised portable storage devices on portable computers in 2017 as part of a government-wide policy.

The person who leaked and is still in possession of the data is Mikhy K Farrera Brochez, a 33-year-old American citizen whose boyfriend Ler Teck Siang was a general practitioner and former head of the National Public Health Unit (NPHU) in MOH.

Ler, 36, was sentenced to two years’ jail in November last year after being found guilty of helping Brochez forge his blood test results so that he could continue to work in Singapore.

Ler still has a pending charge under the Official Secrets Act for failing to take reasonable care of confidential information regarding HIV-positive patients.

In response to TODAY’s queries, the health ministry said that during Ler’s tenure as NPHU head from March 2012 to May 2013, “the systems and processes for the HIV Registry were in accordance with the prevailing government policies governing classified information and IT security at that time”.

“The small group of NPHU staff were allowed to access the information that was necessary in order to carry out their duties of the NPHU, but were subject to the adherence to data protection policies, including safeguarding and maintaining possession of classified materials at all times,” it added.

All staff were required to sign an undertaking to observe confidentiality obligations under the Official Secrets Act. They were also regularly reminded of the sensitivity of the information in the HIV Registry.

Ler resigned in January 2014. Since then, he has had no access to the National Electronic Health Record system.