Confidential data of 14,200 people diagnosed with HIV, mostly foreigners, has been stolen and leaked online in Singapore, authorities said Monday, the second massive data breach in the city-state within months.
An American convicted of numerous crimes is believed to have leaked the information after obtaining it from his partner, a Singaporean doctor with access to the HIV registry, the ministry of health said.
It comes after the health records of 1.5 million Singaporeans, including Prime Minister Lee Hsien Loong, were stolen in a suspected state-sponsored attack in June and July, the country’s biggest ever data breach.
“Confidential information regarding 14,200 individuals diagnosed with HIV up to January 2013, and 2,400 of their contacts, is in the possession of an unauthorised person,” the ministry said in a statement.
“The information has been illegally disclosed online… We are sorry for the anxiety and distress caused by this incident.”
The information includes names, identification numbers, contact details, HIV test results and other medical information.
Access to the information has been blocked but it is still in the possession of the person who leaked it — and could be disclosed again, the ministry warned.
Those affected are 5,400 Singaporeans diagnosed with HIV up to January 2013, and 8,800 foreigners diagnosed with HIV up to December 2011.
Singapore, an affluent city-state of 5.6 million people, is home to many expatriates.
The health ministry was notified by police last week that confidential information from the HIV registry may have been disclosed.
The data is in the possession of Mikhy K. Farrera Brochez, a male US citizen who lived in Singapore from 2008 to 2016, the ministry said.
He was convicted of fraud and drug-related offences in March 2017, and was deported from Singapore after completing his sentence.
He is not currently in the city-state, the ministry said, adding that authorities were seeking assistance from their foreign counterparts.
Brochez was the partner of Ler Teck Siang, a male Singaporean doctor, who had access to the HIV registry for his work. He was convicted in September of abetting Brochez in criminal activity, and sentenced to 24 months’ imprisonment. He is appealing.
Earlier this month, an official inquiry into last year’s breach highlighted a litany of failings, including weaknesses in computer systems, and said authorities believed a state was likely behind the attack.