Records leaked include 5,400 Singaporeans diagnosed as HIV-positive before January 2013, and 8,800 foreigners diagnosed before December 2011, the Ministry of Health (MOH) said in a statement
Patient names, identification numbers, phone numbers, addresses, HIV test results and medical information was included in the information leaked by a former Singaporean resident.
"We are sorry for the anxiety and distress caused by this incident," the statement said. "Our priority is the wellbeing of the affected individuals. Since 26 January, we have been progressively contacting the individuals to notify them and render assistance."
Leow Yangfa, a spokesman for LGBT charity Oogachaga, said the group was concerned people who have not disclosed their HIV status to employers, family or friends could face repercussions due to the leak.
"This reminds us of the insufferable stigma, fear and discrimination that continues to surround people living with HIV in Singapore today," Yangfa said. "Those of us who live without HIV cannot begin to imagine the shock, distress, pain and betrayal they must be going through right now."
Sex between men is technically illegal in Singapore, and can be punished by up to two years in prison under a colonial-era statute
, though the law is not consistently enforced
According to a MOH statement, the "confidential information is in the illegal possession of one Mikhy K Farrera Brochez," a US citizen who resided in Singapore until May 2018.
That's when Brochez was deported, after serving a 28-month prison sentence on "numerous fraud and drug-related offences." One of the fraud charges related to Brochez's own HIV status, which he lied about to the Ministry of Manpower.
HIV-positive foreigners were barred from entering Singapore until 2016, according to Action for Aids
, a local charity. While the law has been relaxed for tourists, HIV-positive foreigners are still barred from receiving employment visas or permanent residence status.
In lying about his HIV positive status, Brochez was aided by his partner, Ler Teck Siang, a former head of the MOH's National Public Health Unit. Ler was convicted of "abetting Brochez to commit cheating, and also of providing false information to the Police and MOH" in September last year and jailed for 24 months. He is currently appealing that sentence.
According to the Straits Times
, a Singaporean newspaper, Brochez submitted a blood sample from Ler as his own, after testing positive for HIV in 2008. After an investigation was launched into the pair, Ler reportedly admitted to switching the samples.
Through Ler, MOH said, Brochez had access to the HIV Registry and copied records from it. Around the time of their arrest, raids were carried out on properties relating to the two men and some materials seized.
After Brochez was deported from Singapore, the MOH received information that he still had part of the records, and this month he began posting information from the registry online. Authorities in Singapore did not reveal where or how the information is being shared.
Brochez -- who could not be reached for comment -- is currently under investigation by Singaporean police, "and the authorities are seeking assistance from their foreign counterparts," the statement said.
Yangfa, the Oogachaga spokesman, said "it is extremely unfortunate that the circumstances surrounding the leak -- involving an American and his Singaporean doctor boyfriend -- appear to be rather sensational in nature."
Latest data breach
The latest leak comes months after a cyber attack
resulted in the data of 1.5 million patients, including government officials and Prime Minister Lee Hsien Loong, being compromised.
At the time, officials called the breach of SingHealth -- a network of public healthcare providers -- the "most serious breach of personal data" in the country's history.
Police in Singapore said they would prosecute anyone found sharing the leaked HIV Registry data under the Official Secrets Act, Channel News Asia reported.
"Police will not hesitate to take stern action, including prosecution, against those who have breached the OSA. A person found guilty of the wrongful possession, communication or use of confidential data shall be liable to a fine not exceeding S$2,000 [roughly $1,500 US], and to imprisonment for a term not exceeding two years," a police statement said.