By using this site, you agree to the Privacy Policy and Terms of Use.
Accept
TechgoonduTechgoondu
  • Audio-visual
  • Enterprise
    • Software
    • Cybersecurity
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
    • Cellphones
    • Tablets
  • PC
  • Telecom
Search
© 2023 Goondu Media Pte Ltd. All Rights Reserved.
Reading: In latest medical data breach, Singapore authorities fail to live up to standard they set for others
Share
Aa
TechgoonduTechgoondu
Aa
  • Audio-visual
  • Enterprise
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
  • PC
  • Telecom
Search
  • Audio-visual
  • Enterprise
    • Software
    • Cybersecurity
  • Gaming
  • Imaging
  • Internet
  • Media
  • Mobile
    • Cellphones
    • Tablets
  • PC
  • Telecom
Follow US
© 2023 Goondu Media Pte Ltd. All Rights Reserved.
Techgoondu > Blog > Enterprise > In latest medical data breach, Singapore authorities fail to live up to standard they set for others
EnterpriseInternet

In latest medical data breach, Singapore authorities fail to live up to standard they set for others

Alfred Siew
Last updated: August 13, 2020 at 11:43 PM
Alfred Siew Published January 29, 2019
8 Min Read
SHARE
PHOTO: Pexels (Creative Commons)

People diagnosed with HIV – some of the most vulnerable people – in Singapore are now the victims of the latest data breach to rock the country in recent months.

Yesterday, the Ministry of Health said 14,200 people who were HIV-positive had their personal data stolen and leaked online. Even their “contacts” or partners were exposed as well.

Now, these 14,200 people may not be as numerous as the 1.5 million people affected by the SingHealth cyber attack last year, but the consequences this time are infinitely more dire for the victims.

With their identities unmasked, they could face no end of discrimination at home or at work. With their identification numbers and contact details exposed, they are wide open to blackmail.

The ministry has pointed the finger at an “unauthorised person”, who is said to have leaked the data online after being deported from Singapore for drug-related offences last year.

Mikhy K Farrera Brochez, an American, appears to have made use of his relationship with a Singaporean doctor, who was head of the ministry’s National Public Health Unit, to obtain the data.

That’s not the point of the story, however. The bigger issue is how the ministry handled the data breach. On so many counts, it falls short of expectations.

First, the timeliness of the disclosure. Ler Teck Siang, the Singaporean doctor, had worked at the ministry until 2014, which means the data was likely stolen before he left.

Yet, it was only two years later, in 2016, that the ministry found out about a possible breach. It suspected Brochez may have had some confidential information on him, so it made a police report in May 2016.

After this, it seemed satisfied that the police had seized and secured the material at the two men’s properties. No public announcement was made to reveal the data breach.

Then, two years later in May 2018, the ministry found out that Brochez still had part of the records on him, according to Today. Another police report was made but again, the ministry did not see the need to reveal this to the public.

Finally, on January 22 this year, the police notified the ministry that the data had been leaked online. Only then did the ministry decide to make the announcement.

Why did it take so long? Especially when sensitive medical data was exposed, which could easily be used against the victims? The reasons the ministry gave are troubling, to say the least.

Yesterday, it even said it had worked with the “relevant parties” to disable access to the information. Who are these relevant parties? And frankly, who is the ministry trying to convince?

Nothing is secret once it is leaked online. Copies are made, then redistributed over and over. It doesn’t take a cyber security expert to tell you that.

And what of this “conservative approach” that Permanent Secretary of Health Chan Heng Kee said was taken because the ministry believed the leak was contained?

This is truly worrying. Does this mean the standard operating procedure (SOP) now is to try to contain a leak before announcing that it has occurred? That cannot be right.

If there is a data breach that carries a serious risk to its victims, the government has a duty to announce it so the public can be prepared. It has to at least tell the victims privately in advance. In this latest case, it did not manage to reach all of them.

Imagine if your data was stolen from your bank but it decided to keep quiet about the incident because it had “contained” the leak. You would be up in arms, as you should be now with how this serious data breach is handled.

Sure, a government agency should prioritise what information to give out but when it comes to data breaches, the rules are clear. The Singapore government has spelt them out for the private sector.

Since 2013, the Monetary Authority of Singapore has mandated that financial institutions report critical system failures arising from technology and cyber security incidents.

The punishments are hefty too. Just last month, SingHealth and its technology partner IHiS were fined a combined S$1 million, a record for a data breach in Singapore.

Yet, what happens when the government itself is a victim of a data breach? The same rules don’t apply.

Government agencies are exempt from the privacy regulations that compel private entities, from a karaoke joint to a large healthcare group, to cough up fines for losing customer data.

They also don’t seem to have to report a data breach the same way a bank is obliged to, under tighter guidelines aimed at addressing today’s heightened risks. That cannot be right.

It’s about time the government practised what it preached. As an entity that holds the most sensitive data, from a citizen’s medical records to his tax returns, it cannot just say “trust us”.

It has to show that it is following the same strict rules it believes are best for the private sector. No, actually, it should do better than that.

Can the ministry actually prevent an insider from leaking data, deliberately or inadvertently? There’s no way to stop all cyber attacks but there are tools that detect protected data being transferred out of a safe zone.

You would hope that government agencies have those tools. They should have higher – not lower – standards of data protection than the average organisation that you deal with every day.

Unlike a bank, a telco or a hospital, you cannot just stop transacting with the government. You have to share your medical data when you visit a public hospital. If you have HIV, you have to be on a registry.

Unfortunately, as some of those affected are now finding out, there is little recourse in a data breach here except for a promise of better data protection and an offer of counselling. That’s cold comfort.

CLARIFICATION at 30/01/2019 10:02pm SGT: The original story had stated that the Ministry of Health did not notify the victims of the data breach in advance. It did reach out to “affected individuals” in May 2018 but was still attempting to reach out to more when the incident was announced.

You Might Also Like

As TikTok faces a possible ban in the US, should users elsewhere be worried?

Foodpanda to use Gogoro electric scooters in battery swapping trial with Cycle & Carriage

RedCap: A new cellular IoT technology for the 5G era

Debate on computational photography misses what’s real, what’s lived outside a frame

How mirrorless cameras can attract users in era of computational photography

TAGGED: cyber security, Ministry of Health, patient record, Singapore, think

Sign up for the TG newsletter

Never miss anything again. Get the latest news and analysis in your inbox.

By signing up, you agree to our Terms of Use and acknowledge the data practices in our Privacy Policy. You may unsubscribe at any time.
Alfred Siew January 29, 2019
Share this Article
Facebook Twitter Whatsapp Whatsapp LinkedIn Copy Link Print
Share
Avatar photo
By Alfred Siew
Follow:
Alfred is a writer, speaker and media instructor who has covered the telecom, media and technology scene for more than 20 years. Previously the technology correspondent for The Straits Times, he now edits the Techgoondu.com blog and runs his own technology and media consultancy.
Previous Article Nutanix aims to be US$3 billion company by 2021
Next Article A large 4K monitor for gaming… that doesn’t break the bank
Leave a comment

Leave a Reply Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Stay Connected

Facebook Like
Twitter Follow

Latest News

Oppo Find N2 Flip review: A worthy flip phone alternative to Samsung
Cellphones Mobile March 26, 2023
As TikTok faces a possible ban in the US, should users elsewhere be worried?
Cybersecurity Internet March 24, 2023
Foodpanda to use Gogoro electric scooters in battery swapping trial with Cycle & Carriage
Enterprise Internet March 23, 2023
RedCap: A new cellular IoT technology for the 5G era
Enterprise Software Telecom March 23, 2023
//

Techgoondu.com is published by Goondu Media Pte Ltd, a company registered and based in Singapore.

.

Started in June 2008 by technology journalists and ex-journalists in Singapore who share a common love for all things geeky and digital, the site now includes segments on personal computing, enterprise IT and Internet culture.

banner banner
Everyday DIY
PC needs fixing? Get your hands on with the latest tech tips
READ ON
banner banner
Leaders Q&A
What tomorrow looks like to those at the leading edge today
FIND OUT
banner banner
Advertise with us
Discover unique access and impact with TG custom content
SHOW ME

 

 

POWERED BY READYSPACE
The Techgoondu website is powered by and managed by Readyspace Web Hosting.

TechgoonduTechgoondu
Follow US

© 2023 Goondu Media Pte Ltd. All Rights Reserved | Privacy | Terms of Use | Advertise | About Us | Contact

Join Us!

Never miss anything again. Get the latest news and analysis in your inbox.

Zero spam, Unsubscribe at any time.
 

Loading Comments...
 

    Welcome Back!

    Sign in to your account

    Lost your password?