HIV Data Exposed Online

Authentication , Data Breach , Data Loss

Singapore Authorities Allege Incident Involved an Insider(HealthInfoSec) • January 29, 2019    HIV Data Exposed Online

Information about more than 14,000 HIV patients included in a Singapore health registry was exposed online, allegedly by a U.S. citizen whose partner was a Singapore doctor who had authority to access the data.

See Also: Live Webinar: Building Secure Delivery Pipelines with Docker, Kubernetes, and Trend Micro

The incident illustrates the importance of taking steps to safeguard the most sensitive patient information from leaks.

For instance, to prevent incidents along the lines of the Singapore HIV data leak, organizations handling especially sensitive health information should consider using behavioral analytics to monitor and detect when this data is inappropriately used or disclosed, suggests privacy attorney David Holtzman, vice president of the security consultancy CynergisTek.

"These monitoring tools provide data protection professionals full visibility in to how users are accessing individually identifiable health information, allowing healthcare organizations to better protect confidentiality and proactively detect actual threats to sensitive data," he says.

The revelation about the Singapore HIV data breach comes on the heels of authorities in the island nation reporting that a 2017 cyberattack exposed health information of 1.5 million patients of SingHealth, Singapore's largest healthcare group.

Exposed Data

In a statement issued Monday, the Singapore Ministry of Health says police alerted the agency on Jan. 22 that confidential information about 14,200 individuals diagnosed with HIV and 2,400 of their contacts was in the possession of an "unauthorized person" and had been illegally disclosed online.

The ministry, which did not identify where the information was disclosed online, says it determined that the data matched its HIV Registry's records up to January 2013. The ministry worked with the "relevant parties" to disable access to the information, the statement says.

"While access to the confidential information has been disabled, it is still in the possession of the unauthorized person and could still be publicly disclosed in the future," the ministry says. "We are working with relevant parties to scan the internet for signs of further disclosure of the information."

"While entities should implement reasonable and appropriate safeguards to all of the patient information ... it may be that the risks to some sensitive information is higher than to other types of information."
—Iliana Peters, Polsinelli

The affected records are those of 5,400 Singaporeans diagnosed with HIV, and 8,800 foreigners - including visitors and those with work permits - diagnosed with HIV up to December 2011. The compromised data includes names; identification numbers; contact details, such as phone number and address; and HIV test results and related medical information.

The names, identification numbers, phone numbers and addresses of 2,400 other individuals also were leaked, the ministry says.

Insider Connection

The Ministry of Health alleges that the confidential HIV information was leaked to Mikhy K. Farrera Brochez, who still possesses the information. Brochez is a U.S. citizen who lived in Singapore on an employment pass between January 2008 and June 2016.

Authorities allege that Brochez was the partner of a Singaporean doctor, Ler Teck Siang. "As the head of the ministry of health's National Public Health Unit from March 2012 to May 2013, Ler had authority to access information in the HIV Registry as required for his work," the ministry statement says.

The incident boils down to "malicious activity of a privileged insider," Holtzman says.

The Ministry of Health statement indicates that "the leader of Singapore's public health HIV program was involved in a scheme in which they used their authorized system access to download the data of individuals diagnosed with HIV," he notes. "As a result of this incident, the government later put in safeguards to better protect this data from unauthorized duplication or disclosure."

Convicted Fraudster

Brochez was arrested by Singapore authorities in June 2016 and subsequently was convicted of numerous fraud and drug-related offenses in March 2017, the ministry statement says.

The fraud offenses included Brochez allegedly lying about his own HIV status to the Singapore Ministry of Manpower in order to obtain and maintain his employment pass; furnishing false information to police during a criminal investigation; and using forged degree certificates in job applications, the ministry of health statement says.

Brochez was sentenced to 28 months in prison, and upon completing his sentence, was deported from Singapore in 2018. He currently remains "outside Singapore," the Ministry of Health says.

Meanwhile, Ler resigned in January 2014 and was charged in Singapore court in June 2016 for offenses under the Penal Code and the Official Secrets Act, the ministry notes.

"In September 2018, Ler was convicted of abetting Brochez to commit cheating, and also of providing false information to the police and ministry of health," the ministry statement says.

He was sentenced to 24 months' imprisonment, which Ler has appealed. An appeal hearing is scheduled for March.

"In addition, Ler has been charged under OSA for failing to take reasonable care of confidential information regarding HIV-positive patients," the statement says. Ler's charge under OSA is pending before the courts.

Additional Safeguards

The ministry says that since 2016, it has put into place "additional safeguards against mishandling of information by authorized staff." That includes a two-person approval process to download and decrypt registry information to ensure that the data cannot be accessed by a single person.

"A workstation specifically configured and locked down to prevent unauthorized information removal was designated for processing of sensitive information from the HIV registry," the ministry says.

The use of unauthorized portable storage devices on official computers was also disabled at the ministry in 2017, as part of a governmentwide policy, the statement notes.

Managing Risk

So far, breaches in the U.S. exposing HIV data that have come to light have mostly involved unintentional incidents, notes privacy attorney Adam Greene of the law firm Davis Wright Tremaine.

"My impression is that HIV information is not a greater target to most hackers, as it is not more helpful than other information for identity theft purposes," he notes.

Nonetheless, HIV status and other sensitive information may create a larger impact if viewed by unauthorized persons and, therefore, constitute a larger risk, he says.

"The result may be that more controls are needed to manage the higher risk. For example, a primary care practice may determine that it is reasonable to send appointment reminders through unencrypted email or texts, while a specialty HIV clinic may determine that there is a higher impact if such appointment reminders are viewed by unauthorized persons and, therefore, they should be sent through secure messaging that does not identify the clinic until after login."

U.S. Incidents

Incidents involving the accidental compromise of HIV data in the U.S. have included:

A postal mailing in 2017 from health insurer Aetna of letters to 12,000 individuals with their HIV-drug related information visible through envelope windows. The incident resulted in class action lawsuit settlements and state attorneys general enforcement actions totaling more than $20 million to date. Records containing HIV information for 192 patients left on a train in 2011 by a Massachusetts General Hospital worker. That incident resulted in a $1 million HIPAA settlement with the Department of Health and Human Services' Office for Civil Rights. The discovery in 2018 of an unsecured database containing information about thousands of HIV/AIDS patients in Nashville, Tennesee's Metro Public Health Department being inappropriately accessible to all staff.

Small Incident, Big Fines

But in the U.S., even smaller accidental breaches involving HIV data have resulted in hefty penalties.

"HHS OCR highlighted this issue in its settlement agreement with St. Luke's-Roosevelt Hospital Center Inc., which was the result of 'careless handling of HIV information,' rather than of a cyberattack," notes privacy attorney Iliana Peters of the law firm Polsinelli.

That incident involved the impermissible disclosure of sensitive medical information, including HIV status, through the faxing of data on only two patients.

"Given the repercussions for individuals living with HIV and AIDS as a result of an impermissible disclosure of their information, particularly with regard to potential misuse by employers or health insurance companies, along with any other discrimination experienced by these individuals from family members, friends, or society in general, the importance of safeguarding this information cannot be understated," says Peters, a former OCR official.

Steps to Take

Organizations should consider extra safeguards for particularly sensitive data, such as HIV information, security experts say.

"While entities should implement reasonable and appropriate administrative, physical and technical safeguards to all of the patient information they maintain, it may be that the risks to some sensitive information is higher than to other types of information, pursuant to their enterprise risk analysis or assessments, and, as such, require additional safeguards," Peters says.