The Federal Government moved this week to improve safeguards around the My Health Record system, telling Australians their private data would remain just that — private. But is that a promise it can realistically make?
Last year’s Information Commission report reveals there have already been a number of data breaches of the My Health Record system, but the Government maintains no-one’s privacy was put at risk.
Nothing to see here, says the Government
Malcolm Turnbull was adamant when he told AM there’d been no privacy breaches on the Government’s digital health record system.
“There are 6 million Australians with My Health Records.
“No records have been released or has privacy been breached,” the Prime Minister told the program late last month.
So was the Health Minister, Greg Hunt, when he spoke to PM recently.
“When you look at 6 million people, six years, on the latest advice today, no data breaches.”
Media player: “Space” to play, “M” to mute, “left” and “right” to seek.
Data breaches, privacy breaches — what’s the difference? And have there been any?
It depends who you talk to.
The Australian Digital Health Agency referred 11 cases, involving six data breach notifications, to the Office of the Australian Information Commissioner (OAIC) — the Government’s national data protection authority. They were outlined in the commission’s 2016-2017 annual report (p 82).
“The 11 cases you are referring to were notifications that we, the Australian Digital Health Agency, make to the privacy commissioner,” said Professor Meredith Makeham, the chief medical adviser for the Digital Health Agency, which oversees the My Health record.
“And any time there is an instance where there’s what we call a privacy breach, where someone’s information might be accidentally seen by somebody else, we report that to the privacy commissioner.”
“The cases that you’re speaking about … all of them are acted on immediately, the people have been informed.”
Then what is a privacy breach?
The Digital Health Agency, the Prime Minister’s Office and the Health Minister’s Office all maintain that these cases do not constitute a breach of privacy.
But, this appears to differ to what the DHA has previously said and the OAIC’s report.
In a statement, the Digital Health Agency said:
“Breaches of this type have occurred due to either human error such as processing errors by the Department of Human Services, incorrect information uploaded to a My Health Record, or through alleged fraudulent Medicare claims.
Your questions about My Health Record answered
“While the Agency is required to notify these events to the OAIC, none of the six were privacy or security breaches.
“The agency has no evidence that any of these matters led to unauthorised access to any individual’s health information.”
It also points out that:
“The My Health Record provides a level of consumer control and transparency over their health records that is not available in any other health system in Australia.”
Still confused? So were we.
So we also asked the OAIC to explain what the data breaches in its report actually mean, and whether they are the same as privacy breaches.
This is what it said in a statement:
“The unauthorised collection, use or disclosure of health information included in a My Health Record; or events or circumstances that compromise, may compromise, have compromised or may have compromised, the security or integrity of the My Health Record system.”
We also asked the OAIC to clarify what some of the Medicare-related breaches were, and this was how it was explained:
“Medicare claims belonging to someone else were made available in the affected individual’s My Health Record.
“This is what has occurred in relation to these nine data breaches.”
So if these are not privacy breaches, then what are they?
We asked some privacy experts what they think has happened.
“I would call what’s in the commissioner’s report data breaches,” said Anna Johnston, the former deputy privacy commissioner for New South Wales.
“Data breach is a different term to privacy breach, which is a different term to cyber breach or cyber security incident,” she said.
“I think part of the problem here is that people have been talking at cross-purposes.”
“For the Minister of Health and the My Health record operator, if they are coming out and saying there have been no cyber breaches, maybe what they mean is we haven’t had our system hacked into by unauthorised third parties, but for them to say there has been no data or privacy breaches is demonstratively false.”
Dr Cassandra Cross, a criminologist at the Queensland University of Technology, agrees.
“There is a lot of confusion on the part of the public who are being given mixed messages from the Minister and the Government, compared to the Office of the Information Commissioner in the latest report.”
She says it probably comes down to “some technical definitional aspects”, where the two parties might be using different definitions for the term “data breach”.
“I think it’s misleading on the part of the Minister and the Government to make the repeated suggestions that there haven’t been any privacy breaches.”
The Australian Privacy Foundation says the government may have good security systems in place to prevent hackers, but it can’t guarantee privacy.
That’s because the My Health Records are part of a much larger system.
Privacy experts have warned that the system opens up health records to more people than ever before, thereby increasing the threat surface — the number of vulnerabilities in a system — dramatically.
Dr Bernard Robertson Dunn, who chairs the health committee at the foundation, says once the data is downloaded into the health system, the My Health record system cannot guarantee privacy.
“Once the data has been downloaded to, for instance, a hospital system, the protections of the hospital system apply, and then the audit logs apply to the hospital system — not to My Health record.
“So there is no way the Government would know who has accessed that data, and it is untraceable and untrackable that that access has occurred.”
AM has gone back to the Government and the OAIC to clarify their definitions of a privacy breach, but has not yet received a response.