There were more than 40 breaches involving My Health Record data in a year, the agency behind the program has revealed in its annual report. But experts fear this may only be the “tip of an unknown iceberg”.
The information on the contentious My Health Record system was always going to garner attention, but the Australian Digital Health Agency’s annual report was dropped in the quiet period between Christmas and New Year’s.
The report revealed 42 data breaches from July 2017 to June 2018, but said there were “no purposeful or malicious attacks”.
The ADHA reported three of the breaches to the Office of the Australian Information Commissioner, with one involving the unauthorised access after an incorrect Parental Authorised Representative was assigned to a child, and the other two due to suspected Medicare fraud.
A further 17 breaches were the result of the Department of Human Services identifying “intertwined records where two or more people have been using the same Medicare record”.
But Australian Privacy Foundation health committee chair Dr Bernard Robertson-Dunn said the ADHA’s breach information “does not tell the full story”, with less restrictive controls on the data once it is downloaded by a provider.
At this point, “users have no control at all over what users of these systems can see”, he said.
“This means that the ADHA can only report on misuse of My Health Record data, not on data that has passed through My Health Record. In other words, the ADHA annual report probably only covers the tip of an unknown iceberg,” Dr Robertson-Dunn told InnovationAus.com.
“My Health Record was designed to make access to your health data much easier. Unfortunately, this is a two-edged sword. Protecting your health data has now become much harder.”
The ADHA’s report also confirmed that in the year ending June 2018, more than 930,000 signed up for a MHR, while more than 42,000 cancelled their registrations. This was before the initially three-month opt-out period began.
After a series of controversies and serious concern from a wide-range of lawyers, civil and digital rights advocates, the federal government agreed to extend the opt-out period until early 2019.
The breach disclosure from the ADHA will likely exacerbate concerns surrounding MHR and that it could act as a “honeypot” of valuable sensitive data for hackers.
Electronic Frontiers Australia board-member Justin Warren told InnovationAus.com last year that a series breach involving MHR is “just a matter of time”.
“There are inherent risks in having a single central database of valuable health data. It’s a very attractive target for cyber-criminals,” Mr Warren said.
“The government hasn’t demonstrated that it can be trusted with sensitive information. Australian governments don’t have a great track record with IT systems and information security in general,” he said.
“It’s a very attractive target for cyber-criminals. We believe a data breach is just a matter of time.”
The ADHA said that almost a quarter of all Australians now have a MHR, but this number is set to “change dramatically” after the transition to an opt-out service is finally completed.
“Once this resource becomes almost ubiquitous across the Australian health system, clinical workflows and consumer behaviours will gradually and irrevocably change to take advantage of its many benefits,” the report said.
“Moreover, the digitally transformed healthcare landscape will provide a platform for ongoing innovation, further enhancing Australia’s already enviable healthcare system,” it said.