Wednesday, 27 February 2019

History of and thoughts on the 14200 HIV related leak in MoH Singapore


The Singapore health sector has been hit with a second information leak in a few months. After the hacking episode at SingHealth, there has been a willful disclosure of confidential information from the Ministry of Health (MoH). The case is made more serious because of the potential impact of the leak on peoples’ lives. It contains the names and contact details of 14,200 people who have been found HIV positive in Singapore and some of their contacts.

While the current case only became public in January 2019, this is part of a much longer story, where the 2 principal actors are Mr Brochez a US citizen, and Dr Ler, a Singapore citizen and who briefly headed the National Public Health of the MoH.

Many of you may know, I am quite serious about data privacy, so I decided to try and put the whole story in perspective. This is a story 12 (or more) years in the making, it really does read like a novel, but my aim is to help think about data security/confidentiality then and now.

I hope the infographic above is readable, it wasn’t easy trying to fit so much information into 1 single page.





  1. The story starts in 2007 with Mr Brochez and Dr Ler meeting online, liking each other’s internet personalities
  2. Mr Brochez moved to Singapore in January 2008; as part of the requirements for an employment pass required for foreigners to work in Singapore, he was required to submit to an HIV test. People who are found to have HIV positive would not be allowed to work in Singapore.
  3. Mr Brochez first took the HIV test in march 2008, at the Singapore Anti Tuberculosis Association clinic using a fake Bahamian passport. He tests HIV positive.
  4. Dr Ler draws his own blood, Mr Brochez turns up at the “My family clinic” in Commonwealth where Dr Ler is working, and Dr Ler submits his own blood as that of Mr Brochez for testing. This sample test HIV negative and Mr Brochez is granted the employment pass (EP). He works in private practice.
  5. In September 2008, Mr Brochez applies to teach at Temasek Poly and is hired.
  6. On Jan 1 2010, The New Paper publishes an article on Mr Brochez, where he explains his genius, how he was brought up by his famous doctor mother, was the youngest in Princeton (at 13) went to Vanderbilt (where he obtained 2 Masters) among other claims. At a later stage these were all shown to be fake.
  7. In February 2011, Mr Brochez is granted a Personal Employment Pass (PEP) by the Ministry of Manpower (MoM)
  8. In March 2012, Dr Ler starts his stint as Head of the National Public Health at the MoH.
  9. In November 2012, Mr Brochez informs an MoH Director that Dr Ler showed him screenshots of the database of people who have tested HIV positive, and informed someone else he was HIV positive. MoH launches an investigation, but Mr Brochez subsequently does not cooperate.
  10. Dr Ler’s role as head of National Public Health at MoH ends in May 2013.
  11. In October 2013, MoM receives information that Mr Brochez is HIV positive, and asks him to cancel his PEP by 8 November 2013. Mr Brochez replies that he will prove that he is HIV negative.
  12. On November 22 2013, Dr Ler again passes off his blood as that of Mr Brochez for him to retain his PEP.
  13. Dr Ler and Mr Brochez deny again that the blood tested was not that of Mr Brochez.
  14. Dr Ler resigns from MoH in January 2014.
  15. Mr Brochez and Dr Ler get married in April 2014 in New York.
  16. In May 2016, Mr Brochez is found in possession of 'Ketaminised Cannabis'. During the search his education certificates were also found, and they were found to be forged.
  17. In May 2016 he MoH also makes a police report against Mr Brochez after learning he has a list of people who tested HIV positive in Singapore and their contacts.
  18. Dr Ler admits he used his own blood to substitute that of Mr Brochez in the HIV tests that were negative.
  19. In June 2016, Mr Brochez is remanded for numerous fraud charges including lying about his HIV status, and drug related charges.
  20. Dr Ler is charged under the Penal Code and the Official Secrets Act; for OSA the charge was relating to not keeping possession of a thumb drive with details of the HIV registry.
  21. In July 2017, the government disables the use of non-authorised portable storage devices as part of a government wide tightening of security.
  22. In April 2018, Mr Brochez finishes his sentence and is deported.
  23. In May 2018, MoH makes a police report after learning that Mr Brochez still has a copy of the registry.
  24. On January 22 2019, the police informs MoH that a list of people who tested HIV positive in Singapore and their contacts has be leaked online.
  25. On January 24 2019, the MoH confirms that the data was for the registry as at January 2013.
  26. MoH and the police work to disable access to the information leaked online
  27. MoH confirms the leak to the public on January 28 2019.


What do you think of the case?\

First of all this case is very different from the SingHealth case where people hacking was involved, and the first response was to sweep things under the carpet and not even report the breach. In this case, I feel, the first priority of MoH was to inform the people affected and provide them with the support they need. This must be a very traumatic time for them.
Secondly, I think this is a story of official blindness or stupidity.


  1. The unnamed private practice that employed Mr Brochez in 2008 must have reviewed his education certificates before deciding to hire him.
  2. The MoM too must have checked his education certificates in 2008; Vanderbilt does not have millions of Masters Graduates.
  3. Temasek Poly also reviewed the education certificates in September 2008, and must have interviewed Mr Brochez thoroughly; as a lecturer he would have the power to help mould the minds of many young people.
  4. The New paper also swallowed the stories of Mr Brochez hook, line and sinker.



Ok, now to the elephant in the room…

  1. MoH was told since November 2012 that Dr Ler had, in his possession screenshots of the HIV registry. While it has been argued by the MoH that people in Dr Ler’s role needed to be able to download the data (more on that later), I fail to see why screen shots shown to people who are not authorized to see the database do not set alarm bells ringing.Yes, Mr Brochez decided not to cooperate with the enquiry, but in view of the risk (the damage caused to people on the registry if their details were leaked), a more serious and sustained effort should have been made.But then, that brings up the point; if data is protected by the Official Secrets Act, and that data relates to peoples personal details and contact details, what legitimate use can one really have to mass download the records? Wasn’t the usage of the database tracked?
  2. In May 2016, when presumably a copy of the list was discovered when searching the apartment, why didn’t the authorities consider that there may have been copies not on-site? At the least, couldn’t the sentencing of Mr Brochez be subject to his having relinquished all the copies and undertaking not to use them? 
  3. Why did the MoH not institute increased protection for the database and wait until the government-wide initiative to do so? MoH had already known for sure of the issues since at worse June 2016; Dr Ler was charged with regards to OSA, but still the disabling of downloads to unauthorized storage only happened in July 2017.

  

In sum

I think MoH did the right thing in focusing in the potential fall-out of the leak and worked to disable access to the information and counselling the people potentially directly impacted. However, the whole saga revealed a very loose approach to data security: allowing and even justifying mass download of the database (I actually think the intent would be much much worse if it was downloaded 1 record at a time) by saying it was required by the role Dr Ler was playing as Head of National Public Health, to me, shows that the people who created and thought of the use of the database did not take into account the risks.

On the other hand, I find it really interesting that the original employer of Mr Brochez who sponsored his original EP (unless this was an organization somehow linked to Dr Ler – this is something I could not find out), the MoM, Temasek Poly, all failed to see that his academic credentials were forged.

Latest Development 
In a latest development, Mr Brochez has also made available a list of 13 HIV positive people who were due for medical check-up at Changi Prison on March 28 2018 (15). Mr Brochez finished his sentence and was deported in April 2018.

Whether it is the prison service, Parkway Shenton (who is contracted to carry out the tests), it is really amazing how little consideration they give to the data they are guardians of. How can a person, who is in prison, have access to a list of fellow patients, their identities and identity card numbers…

In a facebook post over the weekend (16), Mr Brochez also maintained that he has tried to inform the authorities of the leaks since 2012, and claims that neither he, not Dr Ler, were the ones who copied the information, but rather a lawyer in Singapore with whom his husband was having an affair.

The police and prison service responded (17).

Needless to say that this saga is not likely to end so soon, but what I hope had ended is data leaks due to bad (allowing mass download) or lax policies (not verifying educational certs, not tightening procedures immediately after leaks found).



  1. https://www.tnp.sg/news/singapore/doctor-jailed-switching-hiv-positive-blood-his-own
  2. https://www.moh.gov.sg/news-highlights/details/unauthorised-possession-and-disclosure-of-information-from-hiv-registry
  3. https://www.channelnewsasia.com/news/singapore/hiv-positive-records-leaked-online-singapore-mikhy-brochez-11175718
  4. https://www.channelnewsasia.com/news/singapore/hiv-data-leak-what-we-know-about-mikhy-farrera-brochez-11175940
  5. https://mothership.sg/2019/01/14200-moh-hiv-leak/
  6. http://news.asiaone.com/News/Education/Story/A1Story20091228-188488.html
  7. https://www.todayonline.com/singapore/doctor-accused-helping-hiv-positive-boyfriend-deceive-mom
  8. https://coconuts.co/singapore/news/american-conman-deported-singapore-leaked-information-14-2k-people-diagnosed-hiv/
  9. https://www.tnp.sg/news/singapore/doctor-jailed-switching-hiv-positive-blood-his-own
  10. https://www.straitstimes.com/singapore/courts-crime/fake-american-professor-who-used-boyfriends-blood-for-hiv-test-jailed-28
  11. https://www.channelnewsasia.com/news/singapore/public-servants-barred-from-using-unauthorised-usb-drives-9031718
  12. https://www.straitstimes.com/singapore/suspicions-about-leak-emerged-as-early-as-in-2012
  13. https://www.straitstimes.com/singapore/health/how-the-hiv-data-leak-was-handled
  14. https://www.businessinsider.sg/parliament-9-questions-on-hiv-registry-data-leak-addressed-by-singapores-health-minister-gan-kim-yong/
  15. https://www.channelnewsasia.com/news/singapore/hiv-data-leak-mikhy-brochez-singapore-prison-service-11251244
  1. https://www.singaporenewsgazette.com/joint-spf-sps-statement-in-response-to-allegations-made-in-mikhy-brochezs-facebook-post-2/



No comments:

Post a Comment