My Health Records suffered 42 data breaches in 2018 and problems with data entry

December 31, 2018 |

My Health Records can be seen as a legislative process, the enactment of legislation, the implementation of a public policy initiative, placing people’s digital records on line, and a salient lesson in how not to legislate and implement an initiative.  The implementation of the My Health Records scheme has been fraught and is a complete mess as far as privacy and cyber security is concerned.  The legislation had to be amended to assuage privacy concerns, which were at best quick fixes, and the opt out period was extended.

And the problems keep on coming.  The Fairfax Press reports that there have been 42 data breaches in 2018.  Meanwhile the Herald Sun reports that wrong data has been entered into the My Health Record system.

The Herald Sun report provides:

Seventeen people had another individual’s private medical details entered onto in their online My Health Record in a serious glitch that highlights key risks with the controversial $2 billion system.
The inaccurate information could have potentially led to an adverse
health outcome if doctors relied on it.
In another stuff up, a child had an incorrect parent or guardian assigned to their My Health Record, the Australian Digital Health Agency has revealed in its annual report.
The records of two people were viewed by fraudsters and suspected fraudulent information was entered into the records of another 22 people.
The data breaches were revealed as the agency reports it over ran its budget by $20 million last financial year recording an operating loss of $20.494 million.
As more than one million Australians scrambled to opt out of the record in recent months leading to phone lines melting down and the website unable to cope, the agency says another 42,877 people who had a record created for them cancelled it.
The agency has refused to provide figures on how many Australians have opted out of the record so far but Google has revealed “How to opt out of My Health Record” was the top “how to” search recorded by people using its browser service in the last year.
To be fully useful the My Health Record needs a shared health summary loaded by the patient’s GP which outlines their major health conditions and medications.
While there has been a dramatic improvement it remains the case that fewer than one third of the existing My Health Records contained a shared health summary by July this year.
This makes the records minimally useful to other health practitioners.
Every Australian will get an online My Health Record that could reveal if they had an abortion, are impotent, have a drug problem or are mentally ill unless they opt out by January 31.
The record eventually will hold in one place information on all Medicare funded doctors visits, medical tests and medications used by a patient and the government claims it will save lives and cut the amount spent on health care.
But privacy experts have major concerns about the security of the system which can be accessed through every GP clinic, all hospitals and even through physiotherapists and optometrists’ offices.
The agency which runs the record has revealed the system was subject to 42 data breaches in the year to June 2018 this is even though it is meant to be protected by military grade security.
The government insists huge fines of up to $126,000 will apply to people who access the records inappropriately but it appears no such fines have been applied to date.
Instead the agency says “there has been no unauthorised viewing of any individual’s health information caused by a breach of security controls”.
The agency must notify the Office of the Australian Information Commissioner (OAIC) when data may have been accessed or viewed by someone who does not have appropriate authorisation.
And it said the errors generally occurred due to either alleged fraudulent Medicare claims or manual human processing errors.
“We can confirm that in each case, the affected individuals have been contacted and the OAIC has examined the circumstances of the breach. To date, all data breaches have been satisfactorily closed with no negative findings against the System Operator,” a spokesperson for the agency said.
The OAIC has not advised the Agency of any penalties being sought following their investigation, the agency said.
Chair of the Australian Privacy Foundation’s health committee Bernard Robertson-Dunn said the government’s claims that the My Health Record was protected by military grade security was a “distraction” because it was authorised users like doctors and other health workers who were more likely to be involved in committing any privacy breaches.
“When the system becomes fully operational a large number of people will have information about them on their records and the risk will go up,” Mr Robertson-Dunn said.
He also called on the government to be more forthcoming about how data breaches occurred and what was being done to penalise perpetrators.
“It would be interesting to know in general why these incidents (the 42 data breaches reported by the ADHA) did not result in penalties and prosecutions,” he said.
Mr Robertson-Dunn said all Australians should check their My Health Record to make sure the information it contained was correct.

Leave a Reply

Verified by MonsterInsights