Data breaches dent Singapore’s image as a tech innovator
HONG KONG — Singapore takes pride in being a technology hub where municipal decisions are driven by cutting-edge data science. But that image has been dented by two embarrassing data breaches.
HONG KONG — Singapore takes pride in being a technology hub where municipal decisions are driven by cutting-edge data science.
“Data is the new currency, and with open data, the possibilities are endless!” the government says on its “smart nation” portal.
But that image has been dented by two embarrassing data breaches.
Last year, a cyberattack on Singapore’s public health system compromised data from 1.5 million people. And on Monday (Jan 28), the Health Ministry said that medical records for 14,200 HIV-positive people in the city-state had been obtained by an American whose Singaporean partner worked at the ministry. The ministry said it learned on Jan 22 that the records had been illegally disclosed online.
Experts say the breaches highlight the potential pitfalls for Singapore and other countries that are pushing to make vast troves of data more accessible and centralised. Do the public benefits justify the inherent risks to privacy? And can anyone prevent senior officials from misusing information they have at their fingertips?
In addition, the HIV records breach illuminates the widespread stigma and discrimination that people with the virus face in Singapore, a conservative society where gay sex — which accounts for roughly half of new HIV infections in the country — is banned under a colonial-era law.
“Why are people so concerned about their status being known?” said Mr Eamonn Murphy, Asia Pacific director at United Nations agency UNAIDS. “It’s the issue of stigma and discrimination, and it’s familial, for some of them, but clearly workplace: fear of loss of employment.”
“That’s a bigger issue that the ministry or the government of Singapore should be trying to address,” Mr Murphy said.
Authorities say the perpetrator in the cyberattack last year targeted the medical records of Prime Minister Lee Hsien Loong, a cancer survivor. Mr S Iswaran, Minister for Communications and Information, told lawmakers this month that the attacker could not be identified because of national security concerns.
Mr Iswaran also said that copied personal data had not “emerged in any form” on the dark web, a part of the Internet that relies on encryption and is often used for criminal activities.
In the second episode, the Health Ministry said it learned in 2016 that a foreigner might have been in possession of confidential information from the HIV registry. The records included names, identification numbers, contact details, HIV test results and related medical information for 5,400 Singaporeans whose infections were diagnosed as recently as January 2013, and 8,800 foreigners diagnosed up to December 2011.
The suspect, Mikhy K Farrera Brochez, is an American who reportedly tested positive for HIV in 2008 using a fake passport from the Bahamas, shortly after arriving in Singapore.
Foreigners with HIV, the virus that causes AIDS, are not allowed to work in Singapore. To get around that, prosecutors said, Brochez’s partner, Ler Teck Siang — a Singaporean doctor who works at the Health Ministry — twice submitted his own blood sample when Singaporean authorities tested Brochez for HIV.
“This incident is believed to have arisen from the mishandling of information by Ler, who is suspected of not having complied with the policies and guidelines on the handling of confidential information,” the Health Ministry said in a statement on Monday.
Dr Desmond Wai, a gastroenterologist at Mount Elizabeth Novena Specialist Centre in Singapore, said that the cyberattack last year illustrated how the country’s electronic records are vulnerable to hacking, no matter how secure they may appear.
“There is a Chinese saying: ‘If the good is 1 feet tall, the evil will be 3 feet tall,’ ” he said. “So I think there’s always a risk.”
Dr Wai said that for the most part it was not fair to blame the Health Ministry for the second breach, because it would be hard to prevent a senior official from gaining access to the government’s HIV registry.
But he added that Ler, the former head of the ministry’s National Public Health Unit, should not have had such wide access to national HIV records in the first place, nor an ability to download them.
Mr Tom Uren, a cyberpolicy analyst at the Australian Strategic Policy Institute in Canberra, said that the leak of Singapore’s HIV records highlighted a common challenge that many governments face: trying to improve overall health services and efficiency while also protecting individuals’ privacy.
While Singapore’s HIV registry was clearly raided by a “bad apple,” he added, the leak points to potential problems with oversight of the record-keeping system — and with the storage of HIV test results alongside so much personal information.
“There’s actually no need for all that data to be held together,” Mr Uren said.
Brochez was convicted in 2017 of numerous offences, including lying to labour officials about his HIV status, providing false information to police and using forged degree certificates in job applications, the ministry said.
He was sentenced to 28 months in prison, and later deported. The ministry said he was currently outside Singapore, but it did not specify where.
His partner, Ler, was sentenced in November to 24 months in prison for abetting cheating and providing false information to police and the Health Ministry. Ler, who is appealing that conviction, has also been charged with mishandling confidential information related to HIV-positive patients.
On Monday, the Health Ministry apologised for “the anxiety and distress caused by this incident” and said it had been contacting those affected by the breach. The ministry also said it would “continue to regularly review our systems to ensure that they remain secure and that the necessary safeguards are in place.”
As of late Tuesday evening, the ministry had not responded to questions from The New York Times about how the two data breaches occurred.
Advocacy groups say the disclosure of so many records has sent chills through HIV-positive people in Singapore who were already battling a widespread stigma.
About half of the roughly 450 new cases of HIV infection reported in Singapore each year are transmitted through same-sex intercourse, according to the Health Ministry’s data. But experts say that a major barrier to prevention is that few gay and bisexual men in Singapore are open about their sexual orientation.
“Fear is what drives people underground and makes them come too late to health services,” said Mr Murphy of UNAIDS. “One, it doesn’t help them for their own personal health outcome, and two, it doesn’t help prevent further transmissions of disease. This is why it’s so critical to have a protective environment.”
Professor Roy Chan, an expert on HIV at the National University of Singapore and the president of the advocacy group Action for AIDS Singapore, said in a statement that the group was “deeply troubled” by the data leak.
He said it was a criminal act that should be “condemned and answered in the most severe terms possible”.
Mr Paerin Choa, a spokesman for Pink Dot SG, a group that advocates for lesbian, gay, bisexual and transgender people in Singapore, said victims of the leak now faced “the prospect of further stigmatization and discrimination, thanks to the fear and ignorance surrounding HIV and people living with HIV”.
Mr Choa said that people had no legal protection from discrimination in the workplace based on their HIV status, sexual orientation or gender identity, and that the practice of deporting immigrants who test positive for the virus was unnecessarily cruel.
He said the government should “take moral and political responsibility by acknowledging what HIV-positive individuals have to endure in our country, and take concrete action to enact anti-discrimination legislation to support” them.
“This would reduce harm done to those whose names have been exposed,” he said. THE NEW YORK TIMES