People diagnosed with HIV – some of the most vulnerable people – in Singapore are now the victims of the latest data breach to rock the country in recent months.
Yesterday, the Ministry of Health said 14,200 people who were HIV-positive had their personal data stolen and leaked online. Even their “contacts” or partners were exposed as well.
Now, these 14,200 people may not be as numerous as the 1.5 million people affected by the SingHealth cyber attack last year, but the consequences this time are infinitely more dire for the victims.
With their identities unmasked, they could face no end of discrimination at home or at work. With their identification numbers and contact details exposed, they are wide open to blackmail.
The ministry has pointed the finger at an “unauthorised person”, who is said to have leaked the data online after being deported from Singapore for drug-related offences last year.
Mikhy K Farrera Brochez, an American, appears to have made use of his relationship with a Singaporean doctor, who was head of the ministry’s National Public Health Unit, to obtain the data.
That’s not the point of the story, however. The bigger issue is how the ministry handled the data breach. On so many counts, it falls short of expectations.
First, the timeliness of the disclosure. Ler Teck Siang, the Singaporean doctor, had worked at the ministry until 2014, which means the data was likely stolen before he left.
Yet, it was only two years later, in 2016, that the ministry found out about a possible breach. It suspected Brochez may have had some confidential information on him, so it made a police report in May 2016.
After this, it seemed satisfied that the police had seized and secured the material at the two men’s properties. No public announcement was made to reveal the data breach.
Then, two years later in May 2018, the ministry found out that Brochez still had part of the records on him, according to Today. Another police report was made but again, the ministry did not see the need to reveal this to the public.
Finally, on January 22 this year, the police notified the ministry that the data had been leaked online. Only then did the ministry decide to make the announcement.
Why did it take so long? Especially when sensitive medical data was exposed, which could easily be used against the victims? The reasons the ministry gave are troubling, to say the least.
Yesterday, it even said it had worked with the “relevant parties” to disable access to the information. Who are these relevant parties? And frankly, who is the ministry trying to convince?
Nothing is secret once it is leaked online. Copies are made, then redistributed over and over. It doesn’t take a cyber security expert to tell you that.
And what of this “conservative approach” that Permanent Secretary of Health Chan Heng Kee said was taken because the ministry believed the leak was contained?
This is truly worrying. Does this mean the standard operating procedure (SOP) now is to try to contain a leak before announcing that it has occurred? That cannot be right.
If there is a data breach that carries a serious risk to its victims, the government has a duty to announce it so the public can be prepared. It has to at least tell the victims privately in advance. In this latest case, it did not manage to reach all of them.
Imagine if your data was stolen from your bank but it decided to keep quiet about the incident because it had “contained” the leak. You would be up in arms, as you should be now with how this serious data breach is handled.
Sure, a government agency should prioritise what information to give out but when it comes to data breaches, the rules are clear. The Singapore government has spelt them out for the private sector.
Since 2013, the Monetary Authority of Singapore has mandated that financial institutions report critical system failures arising from technology and cyber security incidents.
The punishments are hefty too. Just last month, SingHealth and its technology partner IHiS were fined a combined S$1 million, a record for a data breach in Singapore.
Yet, what happens when the government itself is a victim of a data breach? The same rules don’t apply.
Government agencies are exempt from the privacy regulations that compel private entities, from a karaoke joint to a large healthcare group, to cough up fines for losing customer data.
They also don’t seem to have to report a data breach the same way a bank is obliged to, under tighter guidelines aimed at addressing today’s heightened risks. That cannot be right.
It’s about time the government practised what it preached. As an entity that holds the most sensitive data, from a citizen’s medical records to his tax returns, it cannot just say “trust us”.
It has to show that it is following the same strict rules it believes are best for the private sector. No, actually, it should do better than that.
Can the ministry actually prevent an insider from leaking data, deliberately or inadvertently? There’s no way to stop all cyber attacks but there are tools that detect protected data being transferred out of a safe zone.
You would hope that government agencies have those tools. They should have higher – not lower – standards of data protection than the average organisation that you deal with every day.
Unlike a bank, a telco or a hospital, you cannot just stop transacting with the government. You have to share your medical data when you visit a public hospital. If you have HIV, you have to be on a registry.
Unfortunately, as some of those affected are now finding out, there is little recourse in a data breach here except for a promise of better data protection and an offer of counselling. That’s cold comfort.
CLARIFICATION at 30/01/2019 10:02pm SGT: The original story had stated that the Ministry of Health did not notify the victims of the data breach in advance. It did reach out to “affected individuals” in May 2018 but was still attempting to reach out to more when the incident was announced.