Paternity and drug tests results acessible on line… after the holder of the records knew of the Privacy Breach

July 18, 2011 |

In today’s Australian, at Private data still online 24 hours after alert, is a further report about records of Medvet being released on line.  Part of the artical provides:

CONFIDENTIAL information relating to the paternity, drug and alcohol tests of hundreds of Australian customers could still be viewed online more than 24 hours after the company responsible was alerted to a major privacy breach.

The company, Medvet, Australia’s largest for drug and alcohol testing in the workplace, did not perform a deletion exercise of its customers’ cached information on Google, despite having pledged on Friday that it was doing everything possible to overcome a serious privacy breach.

Customer information including names, complete home addresses and the type of test kits ordered could still be accessed on Google late on Saturday.

The story is also reported at Paternity and drug test details leak online in privacy breach in the Age.  The PM program ran a piece on the breach.  It is:

MARK COLVIN: A South Australian company is trying to limit the damage after a security breach which may have exposed the private medical details of hundreds of people. The State Government is now investigating how the medical laboratory Medvet allowed personal details to be accessible online. Google searches over the weekend unearthed the details of people who ordered paternity tests or were drug tested. South Australia’s Health Department says the private details have now been removed. But experts say the lapse has the potential to open the company and the Government up to compensation claims.
Nance Haxton reports.

NANCE HAXTON: More than 800 people around the country have potentially had their personal details exposed by South Australian drug laboratory Medvet. The company carries out medical tests – particularly paternity, DNA and drug tests – and is owned by the South Australian Health Department. The department is now investigating how customers who placed online orders had their personal details revealed by Google internet searches. Customers who placed online orders for the sensitive tests in the last year are susceptible to the breach.

SA Health CEO David Swan says they think a software glitch is to blame.

DAVID SWAN: In this instance it appears that there’s been some issue that’s been, that occurred with the software between Google and some software that was being used by the company to register requests for drug tests. And that has allowed some information to be available on the web. We’re very concerned about any information that’s available that is of a private nature. And that’s why we’ve requested the board of Medvet to undertake an independent investigation, both from a forensic IT perspective but also from the events that have led up to this. We want to make sure we get to the bottom of it.

NANCE HAXTON: IT expert David Raffen says it’s more likely that the company’s security was not tight enough.

DAVID RAFFEN: My policy is that if it’s available to one person it’s potentially available to many. We put in a lot of controls and security to stop that from occurring. We put padlocks on our own house but people can pick the locks. They can break the door down. So any information that’s on an electronic media is available potentially to somebody else. I think that in this instance it’s been somebody that’s either naive in what they’ve done. I don’t think that people have deliberately gone out to have this information available. But by publishing it, they’ve set it up that, not knowing that Google is out there searching all the time, potentially the information can be put back up onto the net.

NANCE HAXTON: The case has exposed a potential privacy hole for people who order medical tests online.

The privacy commissioner is also investigating.

Australian Privacy Foundation Health chair Juanita Fernando says this is the latest in a series of security lapses of sensitive personal details, and highlights the need for a privacy tort of law so people have a right to recourse.

JUANITA FERNANDO: It’s a significant security breach in terms of numbers or volume, but it’s not a significant security breach in terms of being in any way out of the ordinary.

NANCE HAXTON: So there’s the potential that other companies could have similar information available online, do you think?

JUANITA FERNANDO: Oh there is. There has been in fact at least two- Well, one that hit the press which was a pathology instance – an instance of an electronic pathologist that published all patient information online, including I think it was demographics as well as test results. And then there are instances that were reported to the Australian Privacy Foundation that don’t actually make it to the press. One that I’ve been dealing with recently is a clinician who posted 22 discharge sheets on the web without realising that that was what they were doing. And I think that that actually triggers another really, really important elephant in the room here, and that relates to training. I think a lot of organisations concentrate on the technical aspects of their systems, and they don’t concentrate or they don’t look at the human factors aspects of their systems.

NANCE HAXTON: And does it also open up the possibility, do you think, of potential lodging compensation claims for this breach?

JUANITA FERNANDO: Look, I think that’s inevitable. But my understanding is that yes, that there’s been a significant level of demand for compensation.

NANCE HAXTON: So this really highlights the need for better legislation, you think?

JUANITA FERNANDO: Oh absolutely! There’s absolutely no doubt about the need for better legislation. It is heinous, I think, that there is no legislation. We are talking about people here. We are not talking about machines. People don’t understand when they’re working with information that a MetaCrawler is likely to collect that information and then publish it on the web. They think that all they’ve done is they’ve used the internet to upload a record at their workplace.

NANCE HAXTON: But in fact it’s actually quite accessible?

JUANITA FERNANDO: Yes, that’s right.

MARK COLVIN: Juanita Fernando from the Australian Privacy Foundation ending Nance Haxton’s report.

This is an especially egregious breach of privacy.  The nature of the records leaked, paternity tests and drug and alcohol results are extremely sensitive.  The most worrying aspect of the story is the fact that records may have been left on line for 24 hours after Medvet had become aware of the records being accessible on line.

The Privacy Commissioner is investigating.

Leave a Reply

Verified by MonsterInsights