The agency’s Annual Report 2017–18 identified that “42 data breaches (in 28 notifications) were reported to the Office of the Australian Information Commissioner (OAIC)… concerning potential data security or integrity breaches”, but with “no purposeful or malicious attacks compromising the integrity or security of the My Health Record system”.
Of the 42 instances, one breach resulted from unauthorised access to a My Health Record as a result of an incorrect parental authorised representative being assigned to a child.
Two breaches resulted from suspected fraud against the Medicare program, where the incorrect records appeared in the My Health Record of the affected individual and were viewed without authority by the individual undertaking the suspected fraudulent activity.
The ADHA report also identified that 17 breaches were a result of data integrity activity initiated by the Department of Human Services to “identify intertwined Medicare records (that is, where a single Medicare record has been used interchangeably between two or more individuals)”.
The remaining 22 breaches were from suspected fraud against the Medicare program involving unauthorised Medicare claims being submitted, and the incorrect records appearing in the My Health Record of the affected customers.
An ADHA spokesperson confirmed that in all instances, the Department of Human Services took action to correct the affected My Health Records.
“Errors of this type occur due to either alleged fraudulent Medicare claims or manual human processing errors, as was the case for the breaches reported during the 2017-2018 financial year. There has been no reported unauthorised viewing of any individual’s health information from a notifiable data breach,” the spokesperson said.
“In each case, the affected individuals have been contacted and the OAIC has examined the circumstances of the breach and no unauthorised breach has been determined.”
The ADHA spokesperson added that there are more than 6.3 million people with a My Health Record, but in the six years of its operations, there have been “no reported unauthorised views of a person’s health information”.
“When a person’s health information is stored in different places – hospitals, doctors’ offices, filing cabinets, computers – they don’t know who is accessing it or when. In a My Health Record, every access is listed in a person’s record access history. A person can be notified by text message about who is accessing their record or restrict access to all or parts of their record,” the spokesperson said.
On 26 November 2018, the Federal Parliament passed legislation to strengthen privacy protections in My Health Records Act 2012 without debate or division.
The new legislation means that Australians can opt in or opt out of My Health Record at any time in their lives. Records will be created for every Australian who wants one after 31 January and after then, they have a choice to delete their record permanently at any time.
“At the time of writing, almost one quarter of all Australians have registered for a My Health Record. That figure is expected to change dramatically with the transition to an opt out system early in the 2018–19 financial year,” ADHA CEO Tim Kelsey said in the report.
“Once this resource becomes almost ubiquitous across the Australian health system, clinical workflows and consumer behaviours will gradually and irrevocably change to take advantage of its many benefits.
“For many people the benefits of digital health will be realised gradually, as health and medical data gradually accumulates to form a comprehensive medical history,” Kelsey said.