In its annual report, the Australian Digital Health Agency (ADHA), the agency responsible for oversight of My Health Record, revealed a handful of occurrences where the security of the contentious medical records system was compromised.
The report, published in November, revealed there were 38 matters reported to the Office of the Australian Information Commissioner (OAIC) during the year concerning potential unauthorised access, security, or integrity breaches.
37 of these matters were counted as breaches, and the ADHA said most were the result of administrative errors such as "intertwined" Medicare records or processing errors when creating records for infants.
Three involved the unauthorised access to an individual's My Health Record. One of the unauthorised access incidents was the result of the incorrect parent being assigned to a child.
In breach disclosure documents, made public under the Freedom of Information Act 1982, the ADHA further detailed the instances, revealing two instances where fraudulent claims were made.
ADHA said it was "probable" that on 23 September 2013, the federal government's myGov portal was used to conduct Medicare fraud. ADHA became aware of the breach on 16 November 2017.
"Following advice from the Department of Human Services that fraudulent Medicare claiming information has been sent to a My Health Record, the System Operator reviews all transactional information relating to that record to determine if any other online activity has occurred i.e. access or viewing of information contained in the record," it explained.
"In this case, evidence indicates that it is probable that the My Health Record was created using the myGov account used to conduct the online Medicare fraud.
"As it cannot be conclusively determined that both actions were performed by a third party and not by the consumer themselves, the System Operator is notifying the OAIC of a potential data breach."
The affected consumer had their demographics, including name, address, date of birth, and Medicare information exposed.
The ADHA said it had also attempted to reach out to the affected consumer but mail has been "returned to sender".
In another "probable" occurrence of Medicare fraud, the incident occurred on 28 March 2014 and the ADHA became aware of it on 16 November 2017, the same day as the first potentially fraudulent activity.
"The breach was potentially caused by a person other than the legitimate owner of the My Health Record creating and accessing a My Health Record," it wrote.
Providing further detail on the breaches included in its annual report, the ADHA said one occurred on 27 August 2014 when a parent contacted the My Health Record helpline to have their child registered and the parent established as an authorised representative.
"A [Department of Human Services] service officer acting as a delegate of the System Operator incorrectly registered a child for a My Health Record under their own identity and also accessed the record upon completion of the process," ADHA said.
"On completion of the registration process, service operators are not authorised or required to go beyond the My Health Record landing screen that presents when the process is completed. In this instance, the officer clicked the My Health Record button and gained entry to the record."
According to the ADHA, only the child's demographic information was involved as there was no further documentation in their My Health Record at the time.
Although the incident occurred in 2014, the ADHA only became aware of it in May 2018, when a "random" audit conducted by the National Infrastructure Operator uncovered a "small number of instances" of such incorrect registrations.
"Upon further examination of each of these registrations, this breach was identified," it said.
Another breach occurred on 18 April 2017 and was found the following October when a consumer had reported that they received a Medicare card with a child's name on it that was not theirs.
"Investigations by the system operator showed that the child had previously been registered for a My Health Record with this consumer incorrectly assigned as their Authorised Representative and they had accessed the My Health Record of the child once," ADHA said.
This child's record also had no detail in it, but their demographic information was made available to the wrongly assigned parent as a result of the breach.
"The Department of Human Services processes the Medicare Newborn Child Registration form which includes an option for parents to register their newborn for a My Health Record," ADHA said, explaining the breach.
"The form was processed incorrectly on 14 Jan 2017 whereby the child's My Health Record was linked to an unrelated individual as their authorised representative. The breach was caused by the incorrect representative accessing the record. The registration was corrected on 10 November 2017."
The breaches were mostly the result of data integrity activity initiated by Services Australia to identify intertwined Medicare records, rather than unauthorised access for nefarious activity.
MyGov load is only 55,000 concurrent users and anything more is considered a distributed denial of service attack by Minister for Government Services Stuart Robert.
Instead of testing against the Australian government's Information Security Manual, vendors sign a form saying they are compliant.
Using publicly known information, a team of researchers from the University of Melbourne have claimed to re-identify seven prominent Australians in an open medical dataset.