Data breaches rise in My Health Record system

The number of data breaches involving the My Health Record system rose from 35 to 42 in the past financial year, new figures show.

The Australian Digital Health Agency (ADHA) said in its annual report [pdf] that “42 data breaches (in 28 notifications) were reported to the Office of the Australian Information Commissioner” in 2017-18.

As with previous years, the agency said that “no purposeful or malicious attacks compromising
the integrity or security of the My Health Record system” were reported in the period.

Of the 42 breaches, one was the result of “unauthorised access to a My Health Record as a result of an incorrect Parental Authorised Representative being assigned to a child”, the agency reported.

A further two breaches were from “suspected fraud against the Medicare program where the incorrect records appearing in the My Health Record of the affected individual were also viewed without authority by the individual undertaking the suspected fraudulent activity”, ADHA said.

In addition, 17 breaches were the result of “data integrity activity initiated by the Department of Human Services to identify intertwined Medicare records (that is, where a single Medicare record has been used interchangeably between two or more individuals)”, the agency said.

The number of complaints against My Health Record was slightly lower in 2017-18 than in 2016-17, falling from 64 to 57.

The breach numbers came at the end of a tough year for My Health Record.

Every Australian will eventually receive a My Health Record unless they opt out of the scheme.

Initially, Australians were given only three months to opt out, however the window of time has been extended twice due to problems with the process.

The latest opt out deadline is the end of January this year. However, the breach numbers provided fuel for critics of the scheme to demand further delays to properly scope ongoing privacy and security concerns.