Aussie eHealth record data mishap defended by Department of Health

The Australian Department of Health has moved to allay concerns over the alleged leak of confidential eHealth login details, stating that even if it had mistakenly sent login details to the wrong person, they are useless without further details.

On Wednesday morning, an unnamed Adelaide source told ABC News that he had mistakenly been sent an email from the National eHealth Record System Operator that appeared to be intended for someone else with the same last name.

The unnamed man claimed to have been sent a "private login password", leading to speculation that the eHealth system was securing patient records using plain text passwords. Such practices are deemed insecure by modern standards for a number of reasons, including the fact that most email communications are insecure, and that passwords are often reused by users across several services.

The Department of Health has not yet been contacted by the unnamed source, making it difficult to determine whether any such breach of personal information had occurred. However, the department told ZDNet that passwords, whether they are in plain text or not, are never sent to users. This is despite the unnamed source claiming he was given a password.

Instead, the department said it could be possible that the man was actually sent an "access code" belonging to another person.

"Access codes are used after a person has been registered through assisted registration or at a Medicare office so they can log on for the first time. The code is used once in combination with other information, and then the person sets their own password. The code cannot be used without the additional information or used more than once," a spokesperson for the department told ZDNet.

"Given nearly 900,000 people are registered, a small number of typographical errors could be expected to occur in the despatch of access codes via text or email."

As the eHealth records system is linked through the myGov account, users that are unsure of whether their account has been tampered with can use the system's account history to provide an audit trail. In addition to successful logins, it also shows failed attempts to access an account.

Under the Personally Controlled Electronic Health Records Act 2012, the National eHealth Record Systems Operator is required by law to inform the Office of the Australian Information Commissioner (OAIC) if there has been a breach that compromises the security or integrity of the eHealth records system.

At this point, the department is currently awaiting a response from the individual to determine whether an investigation is necessary. Such an investigation would presumably determine whether the system has actually been compromised. The OAIC is, however, able to conduct an own-motion investigation if it suspects that a breach is occurring and not being reported as required.

The Australian privacy commissioner Timothy Pilgrim told ZDNet that the OAIC is aware of the incident, and is making further enquiries.