Health Minister Gan Kim Yong said in parliament yesterday (12 Feb) that persons affected by the HIV Registry data breach can sue the Ministry of Health.
This, after being pressed by Nominated Member of Parliament Irene Quay regarding recourse for victims as MOH is exempted from the Personal Data Protection Act which governs the collection, use and dissemination of personal data by private organisations.
Quay had asked:
“With PDPA exemption for MOH, what will be the recourse for victims, that the victims can take as a result of exposure of this sensitive information…for better accountability?”
In response, Gan said:
“Patients can take civil action against the Ministry of Health on breach of data or loss of data. But we encourage them to talk to us, we will discuss with them what are the ways to help them and to support them in whichever way we can.”
The confidential data of 14,200 HIV-positive individuals and 2,400 others who were identified through contact tracing had been leaked online by rogue American Mikhy Farrera Brochez, who gained access to the registry through his then boyfriend, Singaporean doctor Ler Teck Siang.
The Health Ministry was aware that Brochez was in possession of patients’ personal data since 2016, but declined to inform them.
MOH only public disclosed the data breach on 22 Jan this year, following the online leak of the 14,200 patients’ data.
Gan’s ministerial statement in parliament has since drawn more criticisms over lapses in judgment.
It also raised worrying questions over the extent of the data breach, in the light of this ambiguous statement from Gan:
“Should MOH now make known all that Brochez may (or may not) still have in his possession? Do we contact every person whose data may (or may not) be at risk?”
While victims of the data breach are free to take legal action against the Health Ministry, lawyers say that it would be difficult for them to prove that they had suffered damages due to the breach.