Last year, Singapore suffered the largest personal data breach in its history when 1.5 million citizens’ health records–including those of the prime minister–were stolen. Now, Singapore’s Ministry of Health reports that 14,200 HIV-positive patients and their 2,400 contacts have been impacted by the illegal release of their health data online.

According to a notice on the Ministry of Health’s website, “The records were those of 5,400 Singaporeans diagnosed with HIV up to January 2013 and 8,800 foreigners diagnosed with HIV up to December 2011. The information included their name, identification number, contact details (phone number and address), HIV test results and related medical information. The name, identification number, phone number and address of 2,400 individuals identified through contact tracing up to May 2007 were also included.”

The sensitive information was allegedly stolen and leaked by Mikhy Farrera Brochez, an American who lived in Singapore from 2008, up until he was jailed in 2016 for fraud and lying about his own HIV status. After serving his prison term, he was was deported from Singapore.

Farrera Brochez was the partner of a Singaporean doctor. The Singapore Straits Times writes, “It came to light on Monday that Farrera-Brochez, who was HIV-positive, had not only used his boyfriend’s blood to pass blood tests so he could work in Singapore, but that he had also got hold of information illegally from the HIV registry which his doctor boyfriend had access to.”

Verizon’s 2018 Data Breach Investigations Report reveals that in healthcare, 56 percent of data breaches were from internal causes during the previous year. “Healthcare is the only industry where the threat from inside is greater than that from outside,” states the report.

Similarly, according to Healthcare Innovation, researchers from Michigan State University and Johns Hopkins University found that the majority of personal health information data breaches were due to internal issues. “There’s no perfect way to store information, but more than half of the cases we reviewed were not triggered by external factors – but rather by internal negligence,” said John Jiang, the lead author of the study.

While data protections were in place, the Ministry of Health believes the doctor who was partnered with Farrera Brochez did not comply with the policies and guidelines prescribed. The ministry has implemented additional data security measures since 2016, including requiring a two-person approval process to download and decrypt registry information so that no one person can act alone to access the data. In addition, a designated HIV Registry workstation has been specifically configured and locked down to prevent unauthorized data extraction. A third measure forbids the use of unauthorized portable storage devices on official computers.

Get the full story at The Straits Times.