The Ministry of Health (MoH) publicised the breach on Monday after the police alerted them to the disclosure of confidential information from its HIV Registry last week. The MoH said it had confirmed that the data posted online matched records which had been stored on the Registry.
According to the MoH, 14,200 people who were diagnosed with HIV up to January 2013, as well as 2,400 of their contacts, had their data compromised. The information, which the Ministry said is in the possession of a convicted fraudster, includes people's names, phone numbers and addresses, as well as their HIV test results and other medical information.
"We are sorry for the anxiety and distress caused by this incident," the MoH said. "Our priority is the wellbeing of the affected individuals. Since 26 January, we have been progressively contacting the individuals to notify them and render assistance."
"While access to the confidential information has been disabled, it is still in the possession of the unauthorised person, and could still be publicly disclosed in the future. We are working with relevant parties to scan the internet for signs of further disclosure of the information, it said.
Technology law expert Bryan Tan of Pinsent Masons MPillay, the Singapore joint law venture between MPillay and Pinsent Masons, the law firm behind Out-Law.com, said: "Cyber threats can be made by internal actors and external actors. While policies are a good starting point to set standards of expected behaviour, other measures including audit logs and access control should also be considered."
News of the incident involving information from Singapore's HIV Registry comes after the body behind the operation of several hospitals and other health institutions in Singapore and the city state's central national IT agency for the public healthcare sector were fined earlier this month in relation to another data breach, described by the city state's data protection watchdog as "the worst breach of personal data in Singapore’s history".
Details of a "deliberate, targeted and well-planned cyber attack" on the SingHealth electronic medical records (EMR) database were made public in July 2018. The attack compromised the personal data of 1,495,364 people and led to outpatient prescription information for nearly 160,000 people being "exfiltrated".
The Personal Data Protection Commission (PDPC) imposed separate fines on SingHealth and Integrated Health information Systems (IHiS) totalling SIN$1 million ($739,000) after finding that the bodies were responsible for failing to make reasonable security arrangements to protect personal data of individuals, in breach of their obligations under Singapore's Personal Data Protection Act.