16 February 2019

Does Singapore's Ministry of Health deserve immunity for data breach?

Singapore's largest data breach happened in July 2018 when a government hospital became the target of cyber-hackers. It is believed the hackers were after the medical data of Singapore's prime minister and cabinet colleagues. There was an inquiry and the local privacy watchdog, the Personal Data Protection Commission (PDPC) fined the hospital and its technology vendor a total of S$1 million.

Proving Karl Marx's dictum about history repeating itself as a farce, Singapore's second largest data breach happened in 2016 when the ministry's very own HIV registry data was downloaded by Mikhy Farrera Brochez, the same-sex paramour of Ler Teck Siang, the head of its National Public Health Unit, but was only disclosed last week.

Why wasn't the public and the patients on the HIV registry informed in 2016? Why is the public and the patients on the HIV registry informed only now? The minister of health, Gan Kim Yong, explained in parliament the ministry made the right call because in 2016 the police thought they had deleted all copies of the HIV registry data from his devices. Since there was no evidence the data had been published, there was no need to inform those affected because informing them would cause distress and emotional harm.

Surprisingly, the minister suggested affected PLHIV could sue the ministry if they felt it made the wrong call.

Now that's a ministry of health clown show