SA Health's Medvet breached Privacy Act with sloppy software

Following a leak of client information, the Australian Privacy Commissioner has determined that Medvet Laboratories breached the Privacy Act, despite there being no client bank account details, customer names or test results exposed online.

The privacy bungle was first reported by The Australian on 16 July 2011, which stated that the South Australia Health-owned organisation had compromised the privacy of customers who had ordered kits to test for illicit drugs and alcohol.

Although SA Health was initially reported to have been made aware of the issue as early as April 2011, it told ZDNet Australia that it only became aware of the matter on 16 July 2011. It was at this the time that SA Health chief executive David Swan spoke to Medvet chairman Terry Evans, who agreed to undertake an urgent independent investigation into the breaches of its systems.

The Privacy Commissioner's own motion investigation revealed that Deloitte was commissioned by SA Health to conduct a forensic investigation of the incident, as well as undertake an assessment of the organisation's security systems to determine if there were any additional vulnerabilities.

Medvet also engaged two other external IT specialist organisations to assist with removing customer details from Google's cached results. These were removed two days after Medvet and SA Health were made aware of the incident.

According to the Privacy Commissioner's report, the source of the leak of information was Medvet's online web store, which was developed by Canadian software development company Iciniti Corporation. The Commissioner found that the software did not include appropriate security and that the development and quality management practices associated with it were deficient. In the Commissioner's investigation, the software was found to have multiple security flaws, and the Commissioner believed that very little security testing had been performed.

Despite initial reports stating that customer names had been exposed, the Commissioner concluded that no names of clients nor test results were released. However, he found Medvet in breach of the Privacy Act as the billing and shopping address details could provide sufficient information to subsequently identify someone.

The report revealed that one customer's order was viewed twice using Google's cache in May 2011, and 28 customer orders were viewed 174 times by up to 149 individuals in July 2011.

The Privacy Commissioner also stated that Medvet breached the Privacy Act by failing to take reasonable steps to protect the personal information entrusted to it, by using software that had significant security flaws and, thus, placing customers' personal information at risk.

The Commissioner did applaud Medvet's actions once it became aware of the privacy incident. Medvet improved its security systems, policies and procedures, advertised its breach in major newspapers and placed notices on its website to reach out to any customer that believed they had been affected. To date, Medvet has not received a single customer inquiry regarding the breach.