Frightening My Health Record data breaches revealed in latest report

While the Digital My Health Record System is intended to make it easier for patients and health professionals by having a person’s entire medical history in one digital place,  doubt has been cast over the safety of the new online system.

Every Australian will automatically be rolled onto the online summary of their personal health information unless they opt out. Personal health information will be uploaded online by care providers to make it easier for doctors, carers and other health professionals to access health information in one online portal.

This will also make it easier for patients who visit multiple specialists and health professionals, as well as potentially saving lives in emergency situations because vital information will be easily accessible.  

According to a report released by the Australian Digital Health Agency, there have been several data breaches since Aussies began to be rolled onto the new system in July.

“There have been no reported unauthorised views of a person’s health information in My Health Record in the six years of its operations,” an Agency spokesperson told Starts at 60. “More than 6.3 million people have a My Health Record.”

While the Australian Digital Health Agency explained there had been no purposeful or malicious attacks compromising the integrity or security of the My Health Record system, it did report there had been 42 data breaches.

“The Agency, which was established in July 2016,  has a legal responsibility under the My Health Records Act 2012 to report ‘notifiable data breaches’ to the Office of the Australian Information Commissioner (OAIC),” the spokesperson said. “These ‘notifiable data breaches’ have been routinely reported by the Agency and the Department of Human Services which runs the identity scheme which underpins My Health Record  to the OAIC.  These reports are published annually by the OAIC. Details are also described on page 59 of the Agency’s 2017-2018 Annual Report.”

The spokesperson said errors of this type occur due to either alleged fraudulent Medicare claims or manual human processing errors, as was the case for the breaches reported during the 2017-2018 financial year. There has been no reported unauthorised viewing of any individual’s health information from a ‘notifiable data breach’.

Having said that, one breach was caused when unauthorised access to a My Health Record was granted as a result of an incorrect Parental Authorised Representative being assigned to a child.

Seventeen people had other individual's private medical details entered into their online My Health Record profiles in a major breach of privacy. pic.twitter.com/12xfbeMd08

— Sunrise (@sunriseon7) December 30, 2018

Two breaches occurred from suspected fraud against the Medicare program where the incorrect records appearing in the My Health Record of the affected individual were also viewed without authority by the person undertaking the suspected fraudulent activity. Meanwhile, the report found an additional 17 cases where personal data had been uploaded to another individual’s account.

A further 22 breaches resulted from suspected fraud against the Medicare program involving unauthorised Medicare claims being submitted, and the incorrect records appearing in the My Health Record of the affected customers.

Read more: ‘No thanks’: Thousands opt out of My Health Record on first day

The Department of Human Services took action to correct the affected My Health Records.

“In each case, the affected individuals have been contacted and the OAIC has examined the circumstances of the breach and no unauthorised breach has been determined,” the spokesperson said. “In all instances of data breaches reported by the Chief Executive Medicare, the Department of Human Services took action to correct the affected My Health Records.”

The report also explained there were 57 complaints made in relation to the My Health Record. These complaints were initially registered and actioned by the Department of Human Services or Call Centre service officers, but were escalated to the Australian Digital Health Agency if the issue was complex or related to a potential privacy, clinical or cyber security breach.

Australians originally had until October 15 to remove their details from the online summary of their health, but it was extended by a month to November 15. Under mounting pressure from Labor and many concerned about their privacy details, Minister for Health Greg said in November the deadline would be moved to January 31.

Many were already concerned about their privacy and data being compromised, including some security experts who warned earlier this year that a major privacy breach was inevitable.

“In an environment where we seem to be hearing about a new data breach practically every few days, My Health Record is yet another privacy and security nightmare,” University of Queensland Associate Lecturer Liam Pomfret said in a statement to Scimex earlier this year. “Our health records are some of the most sensitive information we have, yet the privacy controls My Health Record offers to patients are dubious at best.”

Vijay Varadharajan, Microsoft Chair Professor in Innovation in Computing Director, acknowledged that there is a growing trend in information going digital, but there were flaws in My Health.

“From a technical point of view, there are access controls in place, however, the data itself, at this stage, is in plain format, it is not encrypted,” he said. “Hence there is a potential for leakage if a breach occurs. With the growth in malware and security attacks, we cannot rule this possibility out.”

https://www.youtube.com/watch?time_continue=1&v=npPOvalwd14

Australia’s peak health bodies, including the Australian Medical Association (AMA), the Royal College of Australian General Practitioners, and Pharmacy Guild of Australia, have all supported the push for health records to go digital.

Meanwhile, there are things Aussies can do if they feel their information has been compromised.

“If a person feels incorrect information is in their record or someone has looked at their record when they shouldn’t have, they can call on 1800 723 471 and the Australian Digital Health Agency (the Agency) will investigate,” the spokesperson said.” It is criminal for someone to have unauthorised access to a record, and serious penalties apply.”

What are your thoughts? Are you concerned about the safety of your data?

IMPORTANT LEGAL INFO This article is of a general nature and FYI only, because it doesn’t take into account your personal health requirements or existing medical conditions. That means it’s not personalised health advice and shouldn’t be relied upon as if it is. Before making a health-related decision, you should work out if the info is appropriate for your situation and get professional medical advice.