There has been no attempt to cover up the HIV registry leak incident, Health Minister Gan Kim Yong stressed in Parliament yesterday.
Addressing concerns over the ministry's silence given that the breach was first discovered in 2016 and resurfaced in 2018 but announced only on Jan 28 this year, Mr Gan said: "(The) Ministry of Health (MOH) made a judgement call, balancing the various considerations.
"It is arguable that MOH should have made a different call. But I reject any allegation that MOH sought to cover up the incident."
Mr Gan insisted that on all occasions, the MOH had made its decisions with the well-being of those on the registry as its main priority.
When the MOH first found out in 2016 that Mikhy Farrera Brochez, now 34, had access to the confidential HIV information, it had to decide whether to inform those affected and to publicise it.
Mr Gan said that it was "not a straightforward decision".
"Relationships can be disrupted; lives can be changed. We had to exercise care and judgement in making our decision, and the well-being of the affected persons weighed heavily in our considerations," he said in his ministerial statement after nine MPs raised questions on the issue.
As there was no evidence that the information had been disseminated, the ministry decided that making the matter public would "not serve the interests of the affected individuals, when weighed against the inevitable anxiety and distress they would experience".
Mr Gan also revealed that the Attorney-General's Chambers (AGC) decided not to charge Brochez under the Official Secrets Act (OSA) because the rogue American lecturer was already facing other charges that carried heavier penalties.
"He was already facing numerous fraud and drug-related charges, which carried far heavier penalties," said Mr Gan.
"AGC also assessed that any jail term under the OSA was likely to be concurrent with jail terms that he would serve under the other offences," he added.
Brochez was charged with offences under the Misuse of Drugs Act, Penal Code and Infectious Diseases Act. He was issued a stern warning for the OSA offence.
The OSA charge for Brochez's Singaporean doctor partner, Ler Teck Siang, 36, is currently stood down, meaning it has been put aside until proceedings on his other charges have been concluded.
Mr Gan said: "AGC decided to go to trial against Ler on the cheating and false information charges first, as they were more serious and carried stiffer penalties.
"The trial for his drug charges will be held next, as these also involve stiffer penalties, including mandatory caning."
Mr Gan said that when the ministry first investigated the pair in 2012, it had no knowledge of or reason to suspect that Brochez had access to or was in possession of the data in the HIV registry. It was only in 2016, when Brochez was arrested for repeatedly refusing to take a blood test, that he provided to the police and government authorities 75 names and particulars from the registry.
"This was the first time MOH had evidence that Brochez may have access to confidential HIV-related data," said Mr Gan.
Following this, the police raided Brochez's and Ler's homes, seizing and securing all relevant materials, including computers and electronic storage devices.
The police also found out that he had sent a screenshot and a file of a further 46 records from the registry to his mother, but she agreed to let them access her e-mail account to delete those files.
After his deportation in May last year, Brochez sent a screenshot containing 31 records from the HIV Registry to several government authorities. Again, the ministry decided not to publicly announce the leak as there was still no specific evidence that Brochez had more information beyond these 31 records.
Furthermore, as on previous occasions, Brochez had shared it only with government authorities and not to any wider audience. The ministry contacted the 31 people affected. In Jan 2019, however, it became clear that Brochez probably still possessed the entire HIV Registry.
He had also put the information online and provided the link to a non-government party.
This meant that the likelihood of the identities of affected people being made public by Brochez had increased significantly. Acting swiftly, MOH worked with the police and other relevant parties to disable access to the information as quickly as possible.
Following the public announcement, a few parties have informed MOH that Brochez attempted to make contact with them in 2018, and had given them links to confidential information he had uploaded online.
Mr Gan said: "Unfortunately, as recent events showed, Brochez did manage to retain at least some data which he has recently disclosed, and we cannot rule out the possibility that he has more."
The Health Minister added: "This has been a regrettable incident caused by the irresponsible and deplorable actions of two individuals.
"I am sorry that the irresponsible actions of one of our officers has resulted in such distress to the affected persons. Ler's case is now before the courts, and he will be dealt with according to the law."
Mr Gan said that the authorities "will spare no effort in bringing (Brochez) to justice again for his latest crime".
SUSPECTED DATA BREACHES TO BE TREATED ACCORDING TO PROCEDURE
In the event of a suspected data breach like the HIV Registry leak, the process for the affected agency is to assess the damage, prevent further loss and take precautionary measures to heighten safeguards.
The Government Technology Agency (GovTech) will also put other government agencies on alert and take broader measures if need be, said Senior Minister of State for Communications and Information Dr Janil Puthucheary in Parliament yesterday.
There is no standard timing for public disclosure that automatically applies to all data breach cases, he added, as cases are carefully considered, taking into account the fact that disclosure may allow the attacker to create more damage, help him cover his tracks or cause unnecessary distress to victims.
Aside from the heightened security measures introduced in 2016, including a two-person approval process for accessing information, a Data Analytics Group was also set up in April last year, to focus on data usage and safeguards. Within the group is a six-person Data Governance Division which formulates policies, practices and guidelines for the Ministry of Health (MOH) and its agencies.
Health Minister Gan Kim Yong said MOH will "expand the role and resourcing of this unit", and ensure a specific mandate and team to look into the compliance and audit of data access and use.
"The aim is to protect and secure access to health sector data, in accordance with data protection requirements in the Government Instruction Manuals and Personal Data Protection Act, and other MOH sectoral legislation," Mr Gan said yesterday.
He added that in the light of the HIV Registry leak and the increased use of data across the healthcare sector, having staff adhere to policy governing data security is essential.
However, Mr Gan said that in hiring, there is "no foolproof system", as the integrity of a person can only be proven over time.
This article was first published in The New Paper. Permission required for reproduction.