Medicare and PBS dataset pulled after re-identification concerns

The Australian Department of Health has confirmed an issue within a Medicare Benefits Schedule and Pharmaceutical Benefits Scheme dataset published on data.gov.au, but said no patient information is compromised.
Written by Asha Barbaschow, Contributor

The Department of Health has pulled a public dataset from data.gov.au after it was revealed that certain information regarding the Medicare Benefits Schedule and Pharmaceutical Benefits Scheme was not encrypted properly.

Health said in a statement that the decision to remove the dataset came after the department was alerted by a team of researchers at Melbourne University that it was possible to decrypt some service provider identification numbers from the data openly available to them.

"The dataset does not include names or addresses of service providers and no patient information was identified," the department said.

"However, as a result of the potential to extract some doctor and other service provider ID numbers, the Department of Health immediately removed the dataset from the website to ensure the security and integrity of the data is maintained."

The researchers who found the vulnerability said they notified the department on September 12, 2016, and that the department immediately removed the dataset from the website, discussed the issue with the researchers, and began its own investigation.

The encryption algorithm was described online at data.gov.au, which Melbourne University's research team said was the right thing to do as it made it possible for them to identify weaknesses in the encryption method.

"Leaving out some of the algorithmic details didn't keep the data secure ­-- if we can reverse-engineer the details in a few days, then there is a risk that others could do so too," the team said.

"Security through obscurity doesn't work -- keeping the algorithm secret wouldn't have made the encryption secure, it just would have taken longer for security researchers to identify the problem.

"It is much better for such problems to be found and addressed than to remain unnoticed."

The department confirmed that while no patient information has been compromised and no information about the health service providers has been publicly identified or released, it has alerted the Office of the Australian Information Commission for further investigation.

It also advised that work is currently being undertaken to restore the dataset as soon as possible.

Australian Privacy Commissioner Timothy Pilgrim confirmed that he has opened an investigation, with its purpose to assess whether any personal information has been compromised or is at risk of compromise, and to assess the adequacy of the Department of Health's processes for de-identifying information for publication.

As part of the federal government's AU$1.1 billion National Innovation and Science Agenda, unveiled by Prime Minister Malcolm Turnbull in December last year, the government committed to making all non-sensitive government data open by default.

The government said previously that open government data, which involves publishing government-owned data in order to make it freely available and reusable by all, will enhance innovation among industry, improve transparency in government spending, and promote choice for citizens.

In a bid to improve health outcomes in Australia, the Department of Health said it makes high-value datasets publicly available to enable researchers, the not-for-profit sector, and health industries.

Australian Attorney-General George Brandis said on Wednesday the government will introduce legislation to amend the Privacy Act for the purposes of protecting anonymised datasets that are collected and published by the Commonwealth.

Claiming that the "privacy of citizens is of paramount importance" to the government, Brandis said the amendment, which will be introduced in the coming months during the spring sittings of Parliament, will criminalise the re-identification of de-identified data.

"However, with advances of technology, methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future," Brandis said in a statement.

"The amendment to the Privacy Act will create a new criminal offence of re-identifying de-identified government data. It will also be an offence to counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset.

"The legislative change ... will provide that these offences will take effect from today's announcement."

Among the team of researchers from Melbourne University was Dr Vanessa Teague, who was one half of the team that discovered the electronic voting system developed by New South Wales Electoral Commission was vulnerable to the FREAK attack.

Editorial standards