As the My Health Record fallout continues, the Federal Government’s delayed quarterly data breach notification report is due to be released, with the number of reported breaches in Australian healthcare expected to have skyrocketed.
The previous quarterly report, which was issued on 11 April, was the Office of the Information Commissioner’s first since the notifiable data breach reporting legislation came into effect on 22 February, and in the first six weeks of the scheme showed a stark jump in reported breaches – 24 per cent of them in the healthcare sector.
Of the 63 Australian organisations affected, including government agencies, health information was involved in 33 per cent of cases, with the scheme unearthing breaches that may otherwise have remained secreted away.
The OAIC confirmed to HITNA that the second quarterly report will be released next week, two weeks after it was expected to drop and at a time of heightened data privacy concerns.
It will also come as different government branches appear to disagree on the definition of a breach, with claims by the Minister for Health and the Australian Digital Health Agency that My Health Record has never been breached despite the last two OAIC annual reports referring to numerous breaches of the national online health information platform.
This week, as Australians were given the chance to opt out of My Health Record, Minister for Health Greg Hunt expressed his confidence in the system and said world leading cybersecurity mechanisms meant there had been no breaches since its launch in 2012.
"It is not just bank-level security but the advice from the Digital Health Agency is that it has been defence-tested," Hunt said.
"They have a permanent cyber security network. It's arguably the world's leading and most secure medical information system at any national level."
Speaking at the National Press Club in May, the ADHA’s CEO Tim Kelsey claimed My Health Record operates to the highest cyber security standards in Australia and is independently audited on that basis by a number of organisations, including the Australian Signals Directorate.
“The agency has set up a national cyber security centre to ensure constant multi-layered surveillance of My Health Record. Since the system was launched in 2012, there has been no breach,” Kelsey said.
Asked at the time for clarification of Kelsey's comments and if the ADHA's definition of a data breach differs from the OAIC's definition, the agency said there had been no “security” breach.
“To clarify the CEO’s statement at the National Press Club, to date there has never been a security breach of the My Health Record system,” a spokesperson said in a statement to HITNA.
“The Australian Digital Health Agency has a legal responsibility to report all data breaches to the Office of the Australian Information Commissioner (OAIC), even when My Health Record has not directly caused a breach and incorrect or inaccurate data has been uploaded to the system from external sources. For example, if an administrative error occurs where a clinician uploads a Medicare record into the incorrect My Health Record.”
The spokesperson said in the 2016-17 financial year, there were six data breach notifications within My Health Record, which was a decrease from the 36 notifications in the previous financial year.
“Of the six data breaches reported by the Agency, four were the result of alleged fraudulent Medicare claims. The remaining two breaches were the result of a consumer accessing a My Health Record that was not their own due to a processing error by the Department of Human Services. On identification of these incidents, the Agency worked with relevant stakeholders to promptly rectify the records.”
[Read more: Healthcare suffers almost a quarter of data breaches, as reports skyrocket under mandatory notification scheme | My Health Record data breaches caused by "fraudulent behaviour or human error"]
But according to the OAIC’s 2016–17 annual report, “These notifications related to unauthorised My Health Record access by a third party”.
Other breach notifications were the result of the “intertwined” records of individuals with similar demographic information resulting in Medicare uploading data to the wrong person’s My Health Record.
This week, as people rushed to opt out once the three-month window of opportunity opened, many discovered My Health Records had already been created for them without their consent. There were also numerous claims of incorrect information in records, including wrong data relating to doctors’ appointments and medications.
Users attempting to delete information from their My Health Record are asked by the system to select a reason with the options including “incorrect identity”.
Questions around security and data privacy have abounded this week, with the Prime Minister Malcolm Turnbull making the bombshell claim that insurance companies have the right to demand access to Australians’ My Health Records though their policies’ terms and conditions.
“When you take out insurance you’ve got an obligation to deal in absolute good faith and you have an obligation now under insurance law as it’s stood for centuries to make full disclosure,” Turnbull told Tasmania’s LAFM radio station.
“If you’re seeking life insurance, for example, you’ve got to provide, answer questions honestly that they ask you about your health, and that’s why very often life insurance companies will have one of their own doctors to give you a medical check-up.”
Turnbull said My Health Record’s clinical benefits would translate to improved patient care nationally.
“If you bowl up to a doctors’ surgery interstate and the doctor says, ‘Have you had this vaccination or that vaccination? Have you had this test or that scan?’, you won’t remember, typically,” he said.
“You’ll be able to go, ‘Have a look at My Health Record,’ and the doctor can see it all there and say, ‘OK, we don’t need to give you another test. You had this 12 months ago and you were fine, whatever’, so it’s really designed to give us, being the patients, the customers, the access to our records for protecting our health.
“That’s the purpose. Some people are concerned about security. I think frankly the security in a system like that is probably higher than having it sitting in a set of paper records in a drawer of a filing cabinet in a doctors’ surgery or on a computer in your local doctors’ surgery but it’s not compulsory.”
The Federal Government suffered a breach of paper records this year when Top Secret classified Cabinet documents were discovered in filing cabinets in a Canberra second-hand furniture store.
Despite tech meltdowns and phoneline wait times of over one and a half hours, on the first day of the opt out period that ends on October 15, 20,000 Australians were able to bow out of the system.
Within the data breaches expected to be contained within the upcoming quarterly OAIC report will be those relating to 75 HealthEngine users whose details were exposed by a flaw in the My Health Record-connected platform’s HTML source code.
To share tips, news or announcements, contact the HITNA editor on firstname.lastname@example.org