Approximately 14,000 HIV patients included in a Singapore health registry was exposed online, allegedly by a U.S. citizen whose partner was a Singapore doctor who had authority to access the data.
The incident demonstrates the importance of taking steps to safeguard the most sensitive patient information from leaks.
For example, to prevent incidents such as the Singapore HIV data leak, organizations handling especially sensitive health information should consider using behavioral analytics to monitor and detect when this data is inappropriately used.
The revelation about the Singapore HIV data breach comes from authorities in the island nation reporting that a 2017 cyberattack exposed health information of 1.5 million patients of Singapore’s largest healthcare group called, SingHealth.
According to Singapore police, they alerted the Singapore Ministry of Health that confidential information about 14,200 individuals diagnosed with HIV and 2,400 of their contacts was in the possession of an unauthorized person and had been illegally disclosed online.
Although, access to the confidential information has been disabled, it is still in the possession of the unauthorized person and could still be publicly disclosed in the future. Additional measures are being put in place to scan the internet for signs of further disclosure of the information.
The affected records are those of 5,400 Singaporeans diagnosed with HIV, and 8,800 foreigners , which also includes visitors and those with work permits – diagnosed with HIV up to December 2011. The data that was compromised included names, identification numbers, personal contact details; and HIV test results and related medical information. In addition, the names, identification numbers, phone numbers and addresses of 2,400 other individuals were leaked as well.
The ministry says that since 2016, it has put into place “additional safeguards against mishandling of information by authorized staff.” That includes a two-person approval process to download and decrypt registry information to ensure that the data cannot be accessed by a single person.
“A workstation specifically configured and locked down to prevent unauthorized information removal was designated for processing of sensitive information from the HIV registry,” the ministry says.
The use of unauthorized portable storage devices on official computers was also disabled at the ministry in 2017, as part of a governmentwide policy, the statement notes.
There several incidents in th U.S. involving the accidental compromise of HIV data:
- In 2017 a postal mailing from Atena Insurance, was sent to 12,000 individuals with their HIV-drug related information visible through envelope windows, which resulted in class action lawsuit settlements and state attorneys general enforcement actions totaling more than $20 million to date.
- In 2011 an Masschusettes General Hospital worker left records containing HIV information for 192 patients on a train. This incident resulted in a $1 million HIPAA settlement with the Department of Health and Human Services’ Office for Civil Rights.
- In 2018 staff at the Nashville, Tennesee’s Metro Public Health Department, were able to access an unsecured database containing information about thousands of HIV/AIDS patients.
Steps to Take
Organizations should consider extra safeguards for sensitive data, such as HIV information.
It is imperative for companies to implement reasonable and appropriate administrative, physical and technical safeguards to all of the patient information they maintain.