Health Ministry should have gone public earlier with HIV Registry leak: Observers

SINGAPORE — The Ministry of Health (MOH) should have gone public earlier, after it first found out — almost three years ago — that information of patients with the human immunodeficiency virus (HIV) had fallen into the wrong hands, most observers told TODAY. 

Even with the interests of the patients in mind, the MOH could have released some information as soon as it ascertained the extent of the leak in May 2016, without compromising the fact-finding process and investigations, they added. Nevertheless, some felt that it could have had reasons for not doing so.

The observers' comments came amid a furore over how the ministry handled the situation.

On Monday (Jan 28), the MOH announced that confidential information of 14,200 individuals with HIV and 2,400 of their contacts is in the hands of an American called Mikhy K Farrera Brochez.

Brochez, 33, who is HIV-positive, lived here between 2008 and 2016 when he deceived the authorities with the help of his boyfriend Ler Teck Siang. Ler, 37, who is now on trial for drug-related offences, was the former head of MOH’s National Public Health Unit and had access to the HIV Registry.

Questions raised since Monday’s announcement include:

• Why the MOH did not tell the public when it learnt in May 2016 that Brochez possessed information that appeared to be from the HIV Registry
• Why the MOH did not tell the public when it learnt in May 2018 that Brochez still had part of the HIV Registry's records

BUILDING TRUST

Mr Alan John, a former newspaper editor and volunteer with non-governmental organisation Action for Aids, said: “When you see that the information was available years ago and that we are only finding out at this point after (Brochez) did this, it feels inadequate... It is shocking.”

He added: “(The general public) should know also because of the stigma attached to HIV infection. Our view of HIV is totally different than our view of cancer or heart disease (which most people can) sympathise with.

“We know that there is education of the wider population that needs to be done when this group is targeted in this way.”

When Mr John volunteered with Action for Aids in the 1990s, he saw “a full-grown person collapse in tears” over the condition.

Singapore Management University's law professor Eugene Tan noted that “reasonable minds would differ on what the right time to disclose a data breach (should be)”.

The MOH should explain its decision-making process as part of the process of trust- and confidence-building after another significant breach, following last year’s cyber attack on public healthcare cluster SingHealth, he said.

Transparency has to be a tenet of how government bodies deal with data breaches, as “that’s how trust is built and sustained, that there are no cover-ups”, Associate Professor Tan said.

Sociologist Tan Ern Ser from the National University of Singapore said that the MOH could have gone public after getting a clearer idea of the damage done, and being in a position to assure the public that damage-control measures are in place.

The MOH did not respond by Thursday night to queries sent on Wednesday.

By Thursday, the ministry managed to reach 2,310 of 3,500 Singaporeans diagnosed with HIV up to January 2013 — those who are still alive.

Mr Chan Heng Kee, Permanent Secretary of the MOH, said on Monday that its “most important consideration” before going public with any information is whether patients’ interest and well-being would be compromised.

The MOH would then consider if the information was secured or had been publicly disclosed, or if there is the “continuing risk of the information being publicly exposed”.

In this case, the information had been disclosed online. The MOH also assessed that even with best efforts, it would not be able to “pro-actively contact” a sizeable number of the affected individuals.

“Certainly, in the case where information is contained, we will take a more conservative approach, given that we do know that the persons in this registry would have concerns about a public announcement,” Mr Chan said.

OTHER CONSIDERATIONS?

In the absence of more details from the MOH, other observers said that they could understand the ministry’s actions.

Member of Parliament Joan Pereira, who sits on the government parliamentary committee for health, said that the MOH could have “other considerations” in not going public immediately.

“The priority would firstly be to take steps to stop its further propagation and to deal with the source or to contain it, and to take the appropriate legal enforcement action,” she added.

Former Nominated Member of Parliament Calvin Cheng called for members of the public to “stop (spreading) disinformation” of an alleged cover-up by MOH in a Facebook post on Wednesday.

Mr Cheng told TODAY: “Given the sensitivity and stigma surrounding HIV patients, I do not think there was an urgent need to tell the general public.

“There is, however, responsibility to tell the affected HIV patients. I think MOH genuinely thought in 2016 that the information was retrieved and the perpetrator caught and punished. The moment they realised this was not the case in 2018, they informed the affected people.

“In 2019, when the information was put out into the public domain, they announced this to the public… In this case, the need for privacy for the HIV patients takes precedence over the need for the general public to know.”

However, Mr Cheng said that the MOH “ought to have told the affected parties immediately in 2016 even after they apprehended (Brochez)”. ADDITIONAL REPORTING BY LOUISA TANG

TIMELINE OF EVENTS

• End- 2012: Dr Jeffrey Cutter, then director of the Communicable Diseases Division at MOH, confronted Brochez’s boyfriend Ler Teck Siang, who was then head of the National Public Health Unit, about Brochez’s allegations that he shared a screenshot of the HIV Registry with another individual.

• May 2013: Ler was transferred to the tuberculosis control unit before he resigned in January 2014.

• May 2016: MOH was informed that Brochez possessed confidential information that appeared to be from the HIV Registry. It made a police report.

• May 2018: MOH received a tip-off that Brochez still had information from the HIV Registry. Another police report was made, while the ministry started informing “a very small number” of affected people of the breach.

• Jan 22, 2019: The police told MOH that the stolen information had been leaked online.

• Jan 26, 2019: MOH started notifying and rendering help to affected individuals.

• Jan 28, 2019: MOH announced HIV Registry's data leak.