KUALA LUMPUR, April 19 – MySJ Sdn Bhd is now directly involved in providing MySejahtera user support, even though the Ministry of Health (MOH) has not yet formalised a contract with the private company for the Covid-19 app.
MySJ chief executive officer (CEO) designate Aiza Azreen Ahmad posted on the Malaysia Quarantine Support Group (MQSG) last Sunday, a public Facebook group with 140,000 members set up for Malaysians and foreign nationals travelling to Malaysia during the pandemic, that she, as MySJ chief business officer and CEO designate, would “assist” with MySejahtera app problems raised in the group.
In the comments section on her Facebook post in the group, Aiza, using her personal Facebook account, asked several MySejahtera users to “DM” (direct message) her their MySejahtera user ID last Sunday, even asking at least three users to send sensitive medical information, like screenshots of their Covid-19 vaccination certificate, to her personal Facebook Messenger.
A MySejahtera user ID is either one’s phone number or email address, while Malaysia’s digital Covid-19 vaccination certificate contains one’s full name, IC number, date of birth, and batch number of vaccine doses taken.
Two MySejahtera users from the MQSG Facebook group confirmed with CodeBlue that they sent unredacted screenshots of overseas Covid-19 vaccination certificates to Aiza’s personal Facebook Messenger account.
Noor Azam, a 38-year-old Malaysian safety inspector who lives in Jubail, Saudi Arabia, with his wife, told CodeBlue that he sent Aiza yesterday an unredacted screenshot of his wife’s Saudi Covid-19 vaccination certificate that contains his wife’s full name, passport number, and date of vaccination, as his spouse’s booster shot still isn’t reflected on MySejahtera since two months ago after a request to the app last February. For him, the process took about a month.
“Their response took about three to four weeks. MySejahtera’s Helpdesk did send a response through email to click ‘Refresh’. After that, my booster was reflected on MySejahtera. It’s just my wife’s that’s still pending to date,” Noor Azam, who wishes to visit Malaysia together with his wife during Hari Raya Haji, told CodeBlue.
A MySejahtera user, who only wanted to be known as Mrs Schrijnder, told CodeBlue that she sent her full name, passport number, and MySejahtera ID to Aiza’s personal Facebook Messenger account to get assistance on returning to Malaysia after testing positive for Covid-19 in the Netherlands during a short visit.
Schrijnder, a 50-year-old Singaporean citizen with a long-term spouse visa in Malaysia where she has been based for the last four years, said the MySejahtera Helpdesk did not respond to her email sent to them on April 15 about her situation, as she asked whether she and her children need to retake a PCR or antigen test before departure to Malaysia from the Netherlands.
“Am sitting with the 90 days’ visa that is going to be on the 28th, or I risk being an overstayer with my kids,” Schrijnder told CodeBlue yesterday.
The Aiza Azreen Ahmad personal Facebook account, who doesn’t list any workplaces on her profile, asked another MySejahtera user – who complained in the Facebook group about her current location risk being listed as a “red zone” on the mobile app, even though her husband at the same address has his listed as green – to DM her last Sunday screenshots from the national security app once managed by the National Security Council (NSC).
Aiza also appeared to have access to user issues’ status in MySejahtera’s troubleshooting process, telling a MySejahtera user, who complained that she had yet to receive any reply from MySejahtera’s help desk, to DM her her MySejahtera ID, saying last Sunday, “let me find out where this is at.”
‘Kami’, ‘Us’, ‘The Team’, ‘The Group’
In two other instances, Aiza appeared to speak either on behalf of the MOH, or implied MySJ’s authority in resolving MySejahtera user issues.
An MQSG group member asked Aiza in the Facebook group if she could download the MySejahtera app as she was planning to fly to Malaysia in December, noting that her Covid-19 vaccination certificate uses her married name, but her passport uses her Malaysian name at birth.
Aiza told the woman to download MySejahtera, but to use her passport name and email as her MySejahtera ID, adding that the woman’s married name on the vaccination certificate may not be a problem.
“However, at this time, we (kami) only accept vaccine uploads a few days before the travel date. Let me check this for you and will respond soon,” Aiza replied in Bahasa Malaysia last Sunday.
Aiza did not specify if “kami” referred to MOH or MySJ, or both parties, in managing such MySejahtera user issues.
Another MQSG group member suggested a 24-hour emergency hotline for passengers being denied flight boarding due to last-minute glitches. Aiza replied last Sunday by saying that “the team has a dedicated helpline with all the airlines”.
“If you encounter a problem before boarding, please alert your airlines and they can raise the query to us. The group operates pretty much around the clock with various authorities in there as well to review the issues and give quick resolution,” she added.
The MySJ CEO designate did not specify who the “team” or “group” was, or who she meant by “us” – whether she was referring to MOH, MySJ, or both – or how she, as a representative of a private company, came to possess knowledge about the working hours of MySejahtera’s troubleshooting team and which government officials are part of the group.
MySejahtera’s official website does not list Aiza or MySJ as a contact point for MySejahtera user issue resolution, taking users instead to the MySejahtera Helpdesk. The Helpdesk feature on the mobile app takes users to MySejahtera’s official website.
After CodeBlue sent a list of questions to her LinkedIn account at 12.37am yesterday, Aiza posted on the comments section of her Facebook post in the MQSG group at 10.34am for everyone to DM her their MySejahtera ID and “description of the issue” so that she could “alert the Helpdesk to review and handle your issue expeditiously.”
“If you have not logged the issue at Helpdesk, I suggest you do so as part of the process. I am here to help expedite the issues you have logged in by alerting the Helpdesk team.”
MOH has not made any announcement or press statement directing MySejahtera users to share their personal information – such as phone number or email address used for their user ID, or sensitive health data like Covid-19 risk status or vaccination certificate – with the private company, MySJ, outside of MySejahtera’s official channel at its Helpdesk.
CPRC Denies MySJ Has Access To MySejahtera Database
MOH’s Crisis Preparedness and Response Centre (CPRC), which manages MySejahtera, denied that MySJ has access to the MySejahtera database.
“I think I’ve stressed many times that data is ours and only ours. No one else can access and use it,” CPRC head of data Dr Mahesh Appannan told CodeBlue when contacted.
He also said that Aiza and her team are merely collecting complainants’ MySejahtera IDs and liaising with MOH to expedite user issue resolution.
“We have no time to solve social media issues,” Dr Mahesh said. “MySJ cannot get personal information. Only thing we get is MySejahtera ID and we sort things out.”
MySejahtera IDs, however, comprise one’s personal contact information, which is either their phone number or email address. Aiza has also requested (and received) screenshots of MySejahtera users’ Covid-19 vaccination certificates on her personal Facebook account.
CodeBlue sent a list of questions to Health Minister Khairy Jamaluddin’s office, including the contractual or legal basis underpinning MySJ’s provision of MySejahtera user support. Khairy’s office was also asked who would be held legally responsible for any data breaches from MySJ’s direct involvement in resolving MySejahtera user issues, particularly through the CEO designate’s personal Facebook account.
Khairy told a press conference last Thursday that MOH was still in negotiations with MySJ over MySejahtera, at the final stage of talks, without specifying the subject of the directly awarded proposed government contract.
Aiza did not respond to CodeBlue’s requests for comment after CodeBlue emailed her MySJ email address and sent questions to her LinkedIn account. The former Malaysia Digital Economy Corporation (MDEC) chief digital business officer was also contacted on her Facebook, Twitter, and Instagram accounts.
Among the questions CodeBlue asked Aiza was whether MySJ has direct access to the MySejahtera database and can amend records without prior MOH authorisation, the user support process flow in her assistance for MySejahtera users, whether MySJ is currently contracted to maintain or update data on MySejahtera for MOH, and whether she believed it was safe and proper to ask MySejahtera users to send their personal medical information to her personal Facebook Messenger account.
When CodeBlue called the Q Sentral office of MySejahtera app developer Entomo Malaysia Sdn Bhd yesterday for the second time, a person answering the phone as an Entomo Malaysia staff said Aiza (who initially was not in the office) has “noted” CodeBlue’s request to return CodeBlue’s call. MySJ, which doesn’t have a company website, shares the same business address as Entomo Malaysia.
When an MQSG group member asked about how one’s private health data on MySejahtera was being handled “after the sale to private entity”, Aiza claimed there were “numerous press statements” on the matter and denied any sale of data “as the data is under Act 342” and is only meant for “pandemic management”.
However, MySJ — which is currently embroiled in two lawsuits by shareholders — has not issued a single press statement since the MySejahtera controversy broke last month. Khairy only issued one written press release on March 27 about the issue, besides testifying at the Dewan Negara last March 31 about MySejahtera.
Act 342, or the Prevention and Control of Infectious Diseases Act 1988, does not contain any clauses on the management or protection of confidential medical data. The law instead compels members of the public and medical practitioners to notify health authorities about cases of any infectious disease. MySejahtera’s privacy policy does not cite Act 342 either.
‘Why Is MySJ Support Point For MySejahtera If Data Updates Are At MOH?’
Khairil Yusof – coordinator of Sinar Project, an initiative promoting open source technology – said Aiza’s messages to the MQSG Facebook group gave the impression that MySJ may already have access to, and is updating the MySejahtera database on behalf of MOH, or that the private company is at least able to expedite MySejahtera user issues on behalf of the ministry.
He highlighted Aiza’s comment to a MySejahtera user in the Facebook group, where she wrote: “However buat masa ini kami cuma menerima upload vaccine dalam masa beberapa Hari sebelum travel date.”
“This is problematic. Needs clarification from Aiza – who is ‘kami’ in this case – because it reads that MySJ is the one uploading/ updating the details, not MOH,” Khairil told CodeBlue.
When CodeBlue pointed out Dr Mahesh’s assertion that MySJ simply collects complainants’ MySejahtera IDs and that the company does not have access to the database, Khairil questioned: “Why would MySJ Sdn Bhd be the support point for MySejahtera if the data updates are at MOH?
“If MOH is troubleshooting it, what is the official MOH contact/ support for MySejahtera-related problems?”
The advocate for open data and transparency said despite MOH’s denials that MySJ has access to MySejahtera’s database, the public is currently sharing their personal information with someone who may officially not have access to MySejahtera data or updates.
“It’s understandable that people want to resolve problematic data issues with MySejahtera as quickly as possible as these problems can severely restrict their freedom of movement,” said Khairil.
“However, the public, as a general rule, should not disclose private and personal data to people on the internet. If they have a problem with MySejahtera, they should forward those enquiries to official support channels by MOH.”
He acknowledged that Aiza may be genuinely trying to help because MySejahtera’s official channels seem to be failing.
“This is still probably the bigger issue – that all these problematic data issues are causing a lot of problems for Malaysians, and the impact is quite severe in terms of personal freedom of movement. You may not be able to eat at a restaurant, or enter a building for work, or travel.”
MySJ’s relationship with MOH changed in a remarkably short span of time — from top ministry officials not knowing the company’s legal identity just a little over a month ago in their March 8 meeting with Parliament’s Public Accounts Committee, to now acting as the public contact point for MySejahtera users to get support on app issues, even before the company’s formal appointment as MySejahtera service provider.
