Singapore HIV registry leak

On 28 January 2019, Singapore's Ministry of Health (MOH) disclosed that the confidential records of 14,200 people diagnosed with HIV had been stolen from the national HIV registry and leaked online. The breach was not a remote hack but an insider-enabled data theft: the data was obtained through a Ministry doctor who had legitimate, privileged access, then exfiltrated and published by his foreign partner.

What happened

The HIV registry is a confidential MOH database recording everyone diagnosed with HIV in Singapore. Ler Teck Siang, a Singaporean doctor, headed MOH's National Public Health Unit from 2012 to 2013 and had authorised access to the registry. His partner, Mikhy Farrera-Brochez, a U.S. citizen living in Singapore, came into possession of the data.

Brochez was a serial fraudster — he had faked his own HIV test (using Ler's blood) to obtain an employment pass — and was convicted of fraud and drug offences in 2017, then deported. Even after deportation, he retained copies of the registry. In January 2019 he published the records online, apparently in an extortion-tinged campaign against the Singapore government. MOH determined Ler had failed to safeguard the data, allowing Brochez to copy it.

Impact

14,200 individuals were exposed: 5,400 Singaporeans diagnosed between 1985 and January 2013, and 8,800 foreigners diagnosed between 1985 and 2011.
Leaked fields included names, NRIC/passport numbers, contact details, HIV test results and related medical information — among the most stigmatising categories of personal data.
For 2,400 of the records, the contact details of partners and family were also exposed.

Attribution

This was an insider-and-accomplice case, not an external intrusion. Brochez was the one who stole and published the data; Ler Teck Siang was convicted under the Official Secrets Act for failing to take reasonable care of the registry, on top of earlier convictions for abetting Brochez's fraud and for drug offences. Brochez was separately sentenced in the United States to 24 months' imprisonment in 2019 for fraud and aggravated identity theft.

Why it matters

The leak became a defining case in data-governance and insider-risk policy. Because the information could not be recalled once published, MOH could only disable access and monitor the internet for re-disclosure — illustrating the permanence of leaked sensitive data. Singapore responded by tightening controls on the registry: it reduced the number of staff with access, implemented two-person approval and download controls, and disabled the ability to download or print registry data. The case is repeatedly cited across Asia as a cautionary example of how privileged-insider access, not perimeter security, is often the weakest link in protecting highly sensitive health data.

Timeline

January 1, 2008

Mikhy Farrera-Brochez begins living in Singapore; his partner Ler Teck Siang heads MOH's National Public Health Unit with HIV-registry access.

May 1, 2016

MOH discovers Brochez possesses confidential registry information and reports him to police; access is reviewed.

May 1, 2018

Brochez, deported from Singapore, is again found to hold registry data; police are alerted.

January 22, 2019

MOH confirms records of 14,200 HIV-positive people have been leaked online by Brochez.

January 28, 2019

MOH publicly discloses the leak and begins notifying affected individuals.

June 8, 2019

A U.S. court sentences Brochez to 24 months in prison for fraud and identity theft.

Sources

statnews.comhttps://www.statnews.com/2019/01/28/singapore-says-american-leaked-hiv-records/

aljazeera.comhttps://www.aljazeera.com/news/2019/1/28/american-leaked-records-of-14200-hiv-patients-says-singapore

vice.comhttps://www.vice.com/en/article/a-data-breach-in-singapore-leaked-the-details-of-14200-people-with-hiv/

feeds.bbci.co.ukhttps://feeds.bbci.co.uk/news/world-asia-48523308

thejakartapost.comhttps://www.thejakartapost.com/seasia/2019/01/29/data-of-14200-hiv-positive-people-leaked-in-singapore.html

Related incidents

RansomwareResolvedOctober 30, 2021

Newfoundland and Labrador health-system cyberattack

A Hive ransomware attack on Newfoundland and Labrador's health-care network crippled IT systems across the province, forcing the cancellation of thousands of appointments and procedures in what officials called the worst cyberattack in Canadian history.

Victim: Newfoundland and Labrador Centre for Health Information / Eastern Health

Data breachResolvedOctober 4, 2021

Protemps data breach (2021)

In October 2021, the Singaporean recruitment website Protemps suffered a data breach that exposed almost 50,000 unique email addresses. The impacted data includes names, email and physical addresses, phone numbers, passport numbers and passwords stored as unsalted MD5 hashes, among troves of other…

Victim: Protemps
Records: 49.6K

RansomwareResolvedAugust 1, 2021

Lazio Region ransomware attack

A RansomEXX ransomware attack encrypted the datacenter of Italy's Lazio Region, knocking the COVID-19 vaccination booking portal offline for days and triggering a domestic terrorism investigation.

Victim: Regione Lazio

Data breachinvestigatedMay 20, 2021

BPJS Kesehatan data leak

Personal data on an estimated 279 million Indonesians — more than the country's living population — was scraped from the national health-insurance agency BPJS Kesehatan and offered for sale on the RaidForums hacking forum.

Victim: BPJS Kesehatan
Records: 279.0M