The Australian Digital Health Agency (ADHA), the agency responsible for oversight of My Health Record, this week revealed a handful of occurrences where the security of the contentious medical records system was compromised.
The ADHA's annual report [PDF] revealed there were 38 matters reported to the Office of the Australian Information Commissioner (OAIC) during the year concerning potential unauthorised access, security, or integrity breaches.
37 of these matters were counted as breaches, and the ADHA said most were the result of administrative errors such as "intertwined" Medicare records or processing errors when creating records for infants.
Three involved the unauthorised access to an individual's My Health Record.
Breaking down four of the breaches the ADHA took to the OAIC, it said one of the unauthorised access incidents was the result of the incorrect parent being assigned to a child.
With children, a Parental Authorised Representative is assigned to act on their behalf.
Two of the four breaches reported to the privacy commissioner resulted from suspected fraud against the Medicare program. Incorrect records that appeared in the My Health Record of the affected individual were also viewed without authority by the individual undertaking the suspected fraudulent activity, the ADHA wrote.
The last of the incidents reported to the OAIC was later determined to not be a breach, as it was later confirmed that the access -- performed by a Services Australia officer who was acting as a delegate of the ADHA -- had been requested by the child's parent.
With Services Australia being a Registered Repository Operator of My Health Record, the rebranded Department of Human Services also took its breach concerns to the OAIC, reporting 34 of the total breaches.
27 breaches were the result of data integrity activity initiated by Services Australia to identify intertwined Medicare records; and the remaining seven breaches were due to incorrect Medicare data subsequently appearing in the My Health Records of affected customers.
The mismatched Medicare records, the ADHA said, occurred where a single Medicare record had been used interchangeably between two or more individuals.
As of 30 June 2019, there were 22.55 million active records in the My Health Record system. A total of 1.74 million people accessed their record via the national consumer portal and a total of 493 million documents were uploaded to the My Health Record system.
See also: Electronic health records: A cheat sheet for professionals (TechRepublic)
Speaking during Senate Estimates last month, ADHA representatives said there had been 23,528 records cancelled since 22 February 2019; at the same time, 22,129 people have opted back in.
The ADHA said during 2018-19 it registered an additional 3,711 healthcare provider organisations and cancelled or suspended 96 registrations.
An average of 2,306 unique healthcare provider organisations, via their clinical information systems, viewed records each week during the last financial year and an average of 6,497 unique healthcare provider organisations uploaded documents each week during that same period.
- Over 850,000 diagnostic reports uploaded to My Health Record each week
- Over 30,000 Australians cancelled their My Health Record in under two months
- My Health Record spends AU$360k on integration with specialists software
- AMA says almost all Australians have a My Health Record but not everyone is using it
- Australian Department of Health wants to reduce paperwork with SaaS solution
- ADHA to overhaul underlying infrastructure of Australia's health services