OAIC told of 94 My Health Record-related breaches in 2015-16

Over the previous financial year, Australia's Information Commissioner found 94 breaches affecting a total of 98 healthcare recipients that held a My Health Record.
Written by Asha Barbaschow, Contributor

During the 2015-16 financial year, the Office of the Australian Information Commissioner (OAIC) received 16 mandatory data breach notifications, which recorded 94 separate breaches.

According to the Annual report of the Australian Information Commissioner's activities in relation to digital health 2015-16 published on Thursday by Australian Information Commissioner and Australian Privacy Commissioner Timothy Pilgrim, the 94 separate breaches affected a total of 103 healthcare recipients, 98 of whom had a My Health Record at the time of breach.

In his report [PDF], Pilgrim said the OAIC received three data breach notifications from the system operator, with the first of the notifications relating to MyGov accounts held by healthcare recipients being incorrectly linked to the My Health Records of other healthcare recipients.

The second and third notifications related to unauthorised My Health Record access by a third party, the report says.

13 notifications were reported by the chief executive of Medicare and included five notifications that were about five separate data breaches related to intertwined Medicare records of healthcare recipients with similar identifying information, which resulted in the Medicare claims data belonging to one healthcare recipient being available in the digital health record of another.

The report says the remaining eight notifications involved 86 separate breaches in which Medicare claims data was uploaded to incorrect digital health records.

"These breaches were identified from the Medicare compliance program conducted by the Department of Human Services," the report explains.

Of the 13 received, five notifications remain open with the OAIC expecting to close them following further clarification.

Additionally, the OAIC received one complaint about the My Health Record system during 2015-16, which the report says is currently being finalised.

My Health Record, the Australian government's e-health record system, was originally switched on in 2012, but has since been rebranded from the "personally controlled e-health record system" (PCEHR) to My Health Record.

Since its inception, the My Health Record has not been praised by all, with Dr Bernard Robertson-Dunn, who chairs the health committee of the Australian Privacy Foundation, calling the system a waste of money.

"It's cost AU$2 billion so far, it's costing over AU$400 million every year, but the government has never told us how it has improved health care or reduced health costs. All it is doing is putting patient data at risk," Robertson-Dunn said in August.

"They've built a glorified document management system. It's not really a health records system ... The data is contained mostly in PDFs, which are documents. It's difficult to search them."

A 2013 review of the system by former Minister for Health Peter Dutton had suggested the system be made available to opt-out in order to improve signup numbers, and in September 2015 the government responded by introducing legislation that saw e-health accounts automatically assigned to patients.

Pilgrim's report says that from March 2016, the Australian government commenced a trial of opt-out system participation in Far North Queensland and in the Nepean Blue Mountains region of New South Wales.

In July, Minister for Health Sussan Ley claimed My Health Record had signed up over 4 million users.

"When I came into office I was told that people won't use the system unless there is a critical mass -- well with almost 35,000 Australians signing voluntarily up each week and with early indications that our opt-out trials are running very well -- the critical mass is there," Ley said previously.

"Around 2,000 patient summaries were being uploaded by doctors each week. Now, in the week ending July 17, it was over 16,000 uploads."

In addition to handling data breach notifications, the OAIC said it also provided advice to the Department of Health on a range of privacy matters and documents in connection with the planning for, and conduct of, the opt-out trials of My Health Record, as well as developing, revising, and updating guidance materials for health and consumer audiences, including publishing consumer fact sheets.

In September, the Department of Health said it had pulled a public dataset from data.gov.au after it was revealed that certain information regarding the Medicare Benefits Schedule and Pharmaceutical Benefits Scheme was not encrypted properly.

Health said in a statement that the decision to remove the dataset containing de-identified medical data it released in August came after the department was alerted by a team of researchers at Melbourne University, who said it was possible to decrypt some service provider identification numbers from the data openly available to them.

At the time, Ley apologised for the breach, reaffirming that no patient information had been compromised in the process. She also insisted the government had worked swiftly to tighten privacy laws, with Attorney-General George Brandis moving a day prior to amend legislation making it illegal to re-identify de-identified government data.

The Australian Parliament is currently considering laws that criminalise the re-identification of de-identified datasets that are collected and published by the Commonwealth.

The laws allow the attorney-general to declare a particular entity is exempt for the purposes of public interest. Specifically mentioned are cases of research involving cryptology, information security, and data analysis, or "any other purpose that the minister considers appropriate".

Editorial standards