It was a Sunday afternoon in late January when Singapore’s Ministry of Health began making phone calls.
A generally officious but non-threatening voice would first ask the recipient to confirm their identity. They would introduce themselves as a representative of the ministry, and would then drop a potentially life-changing bombshell on the stunned individual at the other end of the line.
There had been a breach of a medical database, they said, and the personal details of people living with HIV (PLHIV) in Singapore had been leaked online.
‘My first reaction is I didn’t quite believe it; there was a level of denial,’ says Avin Tan, advocacy manager of Singapore-based NGO Action for AIDS.
Tan, who has been living with HIV for around nine years, was contacted by the ministry on Monday, 29 January. ‘It felt very surreal. I’ve worked with people who [have] been in this industry for 20-plus years, and have never experienced anything like that,’ he says.
Gay Star News broke the news of the data breach on that Monday afternoon, with initial information suggesting that just over 1,000 people had been affected. When Singapore’s Ministry of Health, commonly know as MOH, held a press conference a short time later, the sheer scale of the breach came into focus: the data of over 14,200 PLHIV had been leaked.
‘It was a ‘what the fuck?’ moment — legit, like, “What the fuck is going on?”’ says Vanessa Ho, Executive Director of Project X, an NGO advocating for sex workers’ rights.
‘I had lots of peoples names and faces flash in my head, like “Oh my God, do they know? Are they safe? Did MOH call them already?” I had lots of questions: Are the MOH people calling them trained? Are they crisis councilors? Do they know what to say or do they know how to answer the questions from people living with HIV?’
This breach of Singapore’s HIV registry was a sobering reminder of just how vulnerable countless PLHIV in the city-state remain.
Despite all the medical breakthroughs, public awareness campaigns and the overall the understanding of HIV and AIDS in the modern world, in an instant, PLHIV the country over were faced with the very real prospect of old stigmas and discriminations being used against them.
The fraud and the fiasco
As it turned out, the individual alleged to have leaked the data was himself a person living with HIV.
Mikhy K Farrera-Brochez is a convicted serial fraudster, who, prior to 2013, had bluffed his way into numerous academic positions in Singapore. The American national had convinced people that by the age of three he was fluent in three languages, that he been accepted into Princeton University at age 13, and that he was one of the youngest registered psychologists in the US — none of these claims were true.
It was discovered in 2013 that he had faked not only his educational qualifications but also the result of his own HIV tests. He was convicted of fraud and drug-related offenses, sentenced to 28 months in prison, and deported upon his release.
During his trial, it emerged that Farrera-Brochez had managed to maintain the illusion of being HIV-negative with the help of a high-level connection: his partner and former head of MOH’s National Public Health Unit, Ler Teck Siang. As foreigners who are HIV-positive are not allowed long-term visas to remain in Singapore, Farrera-Brochez had used Ler’s blood for his HIV test.
It was also through Ler that Farrera-Brochez is thought to have gained possession of the HIV registry. As part of his job, Ler had access to the personal data of every person diagnosed with HIV in Singapore.
This, in itself, raised questions about the methods of collection, storage, and accessibility of sensitive information following the data breach. Reports suggest that Farrera-Brochez had managed to get hold of a USB drive containing the downloaded registry.
‘A HIV data leak is possibly one of the worse data leaks you could have,’ says software engineer Chong Kai Xiong. ‘This is information that could be used to blackmail people, and so I think [the authorities] really should’ve done much better here. I’m really quite surprised that they didn’t have any mechanism to detect the leak itself.
‘There’s no particular reason to download 14,000 records with names inside. I mean, who would go through all these names? If you’re looking at such massive amounts of data then the names are not actually very useful since you’re more interested in analyzing any broad patterns in the information,’ Chong adds.
Farrera-Brochez went on to publicly defend his decision to steal the data. In an interview with VICE, he claimed that he was trying to draw attention to the injustice of the existence of a HIV registry.
‘Giving that to the press, I was hoping that somebody would get a look at what has been going on in Singapore and how they are using that registry to track individuals with HIV and men who have sex with men,’ he said. ‘There’s no need to have that registry.’
In a way, Farrera-Brochez achieved his goal. But his ‘success’ came with 14,200 instances of collateral damage inflicted upon people with no power over the system.
‘A lot of [PLHIV affected by the data leak] were crying, and they were just very distressed about the entire situation,’ says Tan.
‘We had the ministry call homes, because this information dates back to 2012, and people’s mobile phone [numbers] have changed — contact points have changed. Sometimes their parents picked up. They immediately identified themselves as an officer of the MOH, and by then the news was just full of the data breach, and so some parents just put two and two together and they immediately know that their child has HIV. They immediately confronted their child. So that was very distressing for many people.
‘The ability to disclose on their own terms has been dropped from them. They’re worried about where this information is, and that it might end up with people who might use it against them.’
Sex in the city-state
For rights equality groups and NGOs in Singapore, the revelation of the leak was a call to action.
A number of rights organizations — including Action for AIDS and Project X — began calling for the immediate implementation of anti-discrimination laws to protect PLHIV.
Action for AIDS has gone one further, using the opportunity to highlight how badly the current immigration and employment laws — which actively target PLHIV — need updating to fit a modern context.
But none of the groups involved have any illusions about the uphill battle ahead. Not only will they have to convince a government inherently skeptical of activists and activism, but they also have to get their message out to a public largely conditioned to consider sex as a taboo subject, and view those who contract Sexually Transmitted Infections (STIs) as victims of their own promiscuity.
In the past, Singapore has been described as ‘economically liberal/socially conservative’, a term with both positive and negative connotations. Sex education in Singaporean public schools tends to emphasize abstinence-only education, and prudish legacies of the British colonial era are ever present (Singapore only decriminalized oral and anal sex in 2007).
This colonial hangover is perhaps no more true than with Section 377A, a colonial-era law which criminalizes sex between men. Although the authorities have said the law will not be proactively enforced, LGBTI rights activists say the retention of the law influences anti-gay policies in multiple ways, ranging from censorship in the mainstream media to a reluctance of schools to address the issue or provide affirming support to LGBTI teens.
This is the environment in which PLHIV continue to struggle with the longstanding prejudice attached to STIs, particularly one still viewed in society — despite the modern-day medical realities — as a terrifying death sentence.
‘People with HIV face a lot of issues here […] the understanding and accepting a person with HIV is still lacking in many areas in Singapore,’ says Tan.
‘A lot of people carry with them a lot of shame, a lot of guilt when it comes to living with HIV […] A lot of them would say things like: I’d rather die, I’d rather get cancer, I’d rather get something else because you can get the sympathy and the understanding from the general public, and from their relatives.’
These cultural stigmas have translated into systemic issues. The country currently fails to offer any serious legislation protecting PLHIV.
‘Singapore, as a developed country, is shockingly backward in our lack of protections of the rights of individuals,’ Leow Yangfa, Executive Director of LGBTI community support NGO, Oogachaga, writes in an email.
‘The existing provisions in the Infectious Diseases Act serve only to protect the identities of persons living with HIV, not their rights,’ Yangfa adds. ‘And as we have seen last month, once the confidentiality of this information is breached, there are no other laws that protect individuals living with HIV from being discriminated [against] by employers, healthcare providers, etc.’
‘If we disclose to our employers, they can terminate us without any issues,’ says Tan. ‘We can also, again, raise this issues of employment, fair employment, but very few people want to do that because that would also end up causing even more people in subject to even more scrutiny.’
For activists calling for change, to say that the provisions in place need updating is putting it mildly — particularly in light of such a potentially damaging data leak.
‘The best thing the government can do right now is to enact anti-discrimination legislation,’ says Ho. ‘Because the internet is so big — you cannot shut it down, you cannot be sure the data will not be leaked again. So, if there’s no discrimination against people living with HIV then they don’t have to worry that the data is out there.’
A matter of trust and confidence
This massive privacy leak has also dealt a blow to some people’s faith in the government’s abilities to protect their private information. This is not even the first data breach in recent years; just last year the non-medical personal information of 1.5 million patients of Singapore’s largest healthcare group was stolen in the ‘most serious breach of personal data’ in the country’s history.
With the combination of a lack of institutional protection and entrenched cultural stigma, the data breach carries with it the very real prospect of PLHIV no longer seeking medical attention out of fear that their personal data is no longer secure.
‘We can only wait and see how much the impact is, but people are already calling the hospitals and telling them “I don’t want to go back anymore; I don’t feel safe anymore.” I think that it’s going to take a lot of convincing for people to rebuild that trust in the system again,’ says Tan.
With this in mind, rebuilding trust between the authorities and the populace seems not only the next logical step, but an urgent necessity to help those who are in desperate need of medical attention.
But there are some obstacles in the way of this trust-building. In this case, the government revealed that they’d been aware since 2016 that Farrera-Brochez had possession of the data. While they maintain that they had opted not to inform the public so as not to cause a panic, the sheer optics of keeping something so earth-shattering to themselves has done them no favors.
‘There’s a lot of mistrust — regardless of this leak — when it comes to the government accessing information from us,’ says Tan. ’In Singapore, we have quite regularly given up quite a lot of our information, and in some cases we have celebrated that.’
A perceived lack of accountability has also left many Singaporeans unhappy about this state of affairs.
‘I have yet to see any statement from the Minister or anyone in government taking full responsibility for this leak taking place under their watch,’ Yangfa wrote.
‘It is worrying to consider the possibility that in future, when the alleged perpetrator of this crime, Mikhy Farrera Broche has been arrested, tried in court and sentenced, everything will blow over and be forgotten, and it will be business as usual for MOH and the rest of Singapore.’
However, Tan believes there is a slight glimmer of hope one positive development emerging from the data breach. While the higher-ups in government have kept the crisis at arm’s length, there are those from MOH who have taken an active role in addressing the issue.
‘They were on the ground, they were very involved with ensuring that support systems were in place, and allocating resources wherever needed to coordinate this issue. So they were very involved,’ says Tan.
‘It’s not that they’re very quiet, but there’s not really anything they can say at this point. But the good thing that came out of it was that they were on the front line of receiving some of these calls, then they felt for the first time a very real experience of what stigma and discrimination is.
‘And we want to ride on that and call for change. I think it’s a great opportunity for us,’ Tan concludes.
Whether or not his hopes will translate into reality in the island republic is yet to be seen.