Fraudulent behaviour or human error were responsible for My Health Record data breaches, the Australian Digital Health Agency has confirmed, following the release of the Australian privacy commissioner’s annual report containing details of the security failures.
"This year we received six data breach notifications from the My Health Record System Operator,” the Office of the Australian Information Commissioner’s annual report says.
“These notifications related to unauthorised My Health Record access by a third party.”
The annual report also confirmed 29 breach notifications had been received from the Chief Executive of Medicare, including reports of “intertwined” records.
“Nine of these notifications involved separate breaches related to intertwined Medicare records of individuals with similar demographic information. This resulted in Medicare providing data to the incorrect individual’s My Health Record.”
Further cases saw Medicare claims information loaded into the wrong My Health Records.
“Twenty notifications, involving 123 separate breaches, resulted from findings under the Medicare compliance program. In these circumstances, certain Medicare claims made in the name of a healthcare recipient but not by that healthcare recipient were uploaded to their My Health Record.”
According to the Australian Digital Health Agency, the breaches were caused by fraudulent behaviour or human error.
“In each instance the access has been limited to Medicare information related to fraudulent behaviour, or isolated human processing errors,” an Australian Digital Health Agency spokesperson said in a statement to Healthcare IT News Australia.
“No clinical incidents have resulted from these matters. All privacy breaches has been investigated and resolved, and the affected parties have been notified of the situation.”
The security of the online repository of private health information has been a continuing subject of scrutiny within the industry, and on Friday the ADHA’s website went down due to a “glitch”, which may not have allayed concerns.
It came as the OAIC’s 2017 Australian Community Attitudes to Privacy Survey showed Australians perceive greater risks in allowing organisations to be the custodians of private information online.
“That survey shows 58 per cent of Australians have avoided a business because of privacy concerns and 44 per cent said they had chosen not to use a mobile app for the same reason. These findings reinforce the view that a successful data-driven economy needs a strong foundation in privacy,” the Australian Information and Privacy Commissioner Tim Pilgrim said.
Pilgrim’s office received 17 per cent more privacy complaints than last year across industries, indicating growing concern.
“Developments in technological, social, commercial and government service delivery environments continue to drive increasing community and professional interest in privacy and privacy governance,” Pilgrim said.
As Australia moves towards the introduction of the mandatory data breach notification scheme in February 2018, the ADHA this week released its Information Security Guide for Small Healthcare Businesses, described as a tool for businesses to better protect their information.
The guide, developed in partnership with the Australian Government's Stay Smart Online program, provides advice for non-technical health professionals on privacy, passwords, software updates, back-ups and staff security awareness.
The OAIC has also published new resources to help healthcare providers understand their My Health Record privacy obligations, including advice on the handling of sensitive information.
Over 5 million people currently have a My Health Record. By the end of 2018 every Australian will have one unless they have taken steps to opt out.