My Health Record 'breaches' mostly fixing mismatched Medicare records

The breaches were mostly the result of data integrity activity initiated by Services Australia to identify intertwined Medicare records, rather than unauthorised access for nefarious activity.

The Australian Digital Health Agency (ADHA), the agency responsible for oversight of My Health Record, this week revealed a handful of occurrences where the security of the contentious medical records system was compromised.

The ADHA's annual report [PDF] revealed there were 38 matters reported to the Office of the Australian Information Commissioner (OAIC) during the year concerning potential unauthorised access, security, or integrity breaches.

37 of these matters were counted as breaches, and the ADHA said most were the result of administrative errors such as "intertwined" Medicare records or processing errors when creating records for infants.

Three involved the unauthorised access to an individual's My Health Record.

Breaking down four of the breaches the ADHA took to the OAIC, it said one of the unauthorised access incidents was the result of the incorrect parent being assigned to a child.

With children, a Parental Authorised Representative is assigned to act on their behalf.

See also: Rushed My Health Record changes still missing the point

Two of the four breaches reported to the privacy commissioner resulted from suspected fraud against the Medicare program. Incorrect records that appeared in the My Health Record of the affected individual were also viewed without authority by the individual undertaking the suspected fraudulent activity, the ADHA wrote.

The last of the incidents reported to the OAIC was later determined to not be a breach, as it was later confirmed that the access -- performed by a Services Australia officer who was acting as a delegate of the ADHA -- had been requested by the child's parent.

With Services Australia being a Registered Repository Operator of My Health Record, the rebranded Department of Human Services also took its breach concerns to the OAIC, reporting 34 of the total breaches.  

27 breaches were the result of data integrity activity initiated by Services Australia to identify intertwined Medicare records; and the remaining seven breaches were due to incorrect Medicare data subsequently appearing in the My Health Records of affected customers.

The mismatched Medicare records, the ADHA said, occurred where a single Medicare record had been used interchangeably between two or more individuals.

As of 30 June 2019, there were 22.55 million active records in the My Health Record system. A total of 1.74 million people accessed their record via the national consumer portal and a total of 493 million documents were uploaded to the My Health Record system.

See also:  Electronic health records: A cheat sheet for professionals (TechRepublic)

Speaking during Senate Estimates last month, ADHA representatives said there had been 23,528 records cancelled since 22 February 2019; at the same time, 22,129 people have opted back in.

The ADHA said during 2018-19 it registered an additional 3,711 healthcare provider organisations and cancelled or suspended 96 registrations.

An average of 2,306 unique healthcare provider organisations, via their clinical information systems, viewed records each week during the last financial year and an average of 6,497 unique healthcare provider organisations uploaded documents each week during that same period.

RELATED COVERAGE