It wasn’t a cover up, said Gan Kim Yong in parliament yesterday (12 Feb).
In his ministerial statement, the Health Minister said the decision not to inform affected patients, or make public the leak of personal data from the HIV registry to a foreigner back in 2016 was to spare patients the agony of knowing that their information had been compromised.
He said the decision to inform affected patients, and publicly disclose the data leak, was a judgment call that the Ministry of Health had to make.
Data of 14,200 HIV patients is suspected to since have been leaked online by American Mikhy Farrera Brochez, who gained access to the registry through his then boyfriend, Singaporean doctor Ler Teck Siang.
Short of inspiring public confidence, Gan’s statement has raised questions over his judgement.
(1) Contradictions Regarding Treatment of Ler
Brochez had first contacted MOH claiming that Ler had disclosed to him information about the HIV registry, and that he had screenshots.
However, MOH did not pursue the matter because Brochez was evasive and did not provide more than just the allegations.
“At no point in 2012 or 2013 did MOH have basis to suspect that Brochez had access to, or was in possession of, the data in the HIV Registry.”
However, MOH saw it fit to remove Ler from his position as head of the National Public Health Unit and reassign him to an unspecified department where he had no access to the HIV Registry.
Based on, according to Gan, an unfounded allegation.
So, did MOH suspect that there was a leak, or not?
(2) Important Enough for an OSA Charge, but not Patient Disclosure
When the leak was confirmed in 2016, and police found that Brochez was in possession of at least 75 names from the HIV registry, Ler was charged under the Official Secrets Act.
“Ler and Brochez were both charged in Court in June 2016. Ler was charged both under the Penal Code and OSA. Ler’s charge sheet, which was public information, stated that he had had access to the HIV Registry as part of his position as the Head of NPHU in MOH, and that he had failed to take reasonable care of the information in the HIV Registry by failing to retain possession of a thumb drive on which he had saved the HIV Registry.”
Ler’s offence was serious enough to warrant a charge for breaching the OSA, however, the Health Ministry still refused to inform affected patients.
Gan’s explained that public disclosure of the leak could raise unnecessary alarm because the magnitude of the leak was not certain at the time.
But, he did not see it fit to ensure that affected patients were in the know and could make necessary preparations and receive help from the Ministry?
(3) Up until 2018, Full Disclosure Still Denied
After Brochez served jail time for unrelated offences and was deported in May 2018, he leaked more data to even more persons – this time across several government authorities.
“In May 2018, after his deportation, Brochez sent a screenshot containing 31 records from the HIV Registry to several government authorities. All 31 records were not new. They were a subset of the 75 which Brochez had earlier revealed to authorities in 2016. MOH lodged another police report. We considered again whether to inform the affected individuals and the public. The relevant factors were similar to those in 2016. But there was one difference. This time, we could not retrieve the screenshot of the 31 records in Brochez’s possession because he was already out of Singapore.”
The Health Ministry’s judgment call – inform only the 31 persons whose data had been leaked.
And, it continued kicking the can down the road until 22 Jan 2019, when the data of 14,200 persons was leaked online
(4) A Frightening Cryptic Message
A press conference was finally called following the major online leak.
But in his ministerial statement, Gan appeared to issue a cryptic message which is just as ambiguous as it is frightening:
“Should MOH now make known all that Brochez may (or may not) still have in his possession? Do we contact every person whose data may (or may not) be at risk?”
Does he have more than just that database of 14,200? Was there more data that was stolen that MOH has not revealed to the public?
(5) Bad Judgment?
“In making those decisions, MOH had a responsibility to balance the opposing considerations and exercise judgment on what would best serve the interest of the affected persons and the public. MOH made a judgment call, balancing the various considerations. It is arguable that MOH should have made a different call. But I reject any allegation that MOH sought to cover up the incident.”
So says Gan.
And the public is now widely questioning his judgment call.
Especially since this has opened up the Health Ministry to potential lawsuits from the thousands affected.