The federal Health department breached privacy law when it released a botched dataset that allowed for the re-identification of patients, Australia's privacy commission has found.
In December researchers from the University of Melbourne revealed they were able to easily re-identify patients from the data without using decryption methods.
Health had released the supposedly de-identified data - on Australian Medicare benefits scheme (MBS) and pharmaceutical benefits scheme (PBS) claims - in mid-2016.
The dataset included medical billing records of 2.9 million people, or 10 percent of all Australians, from 1984 to 2014. It also included year of birth, gender, and medical events data.
However, it was removed by the Health department just a month later after the same researchers pointed out that practitioner details could be decrypted.
The researchers then revealed last December that more information from the dataset could be re-identified. They were able to match an individual to their record simply by using known information about the person, like their year of birth and medical procedures.
The Office of the Australian Information Commissioner at that time said it had been investigating the matter since the problems first came to light in September 2016.
It today said it had completed its investigation and had concluded the department had breached privacy law.
The Health department has accepted an enforceable undertaking from the OAIC that requires it to "continue to review and enhance its data governance and release processes with oversight from the OAIC".
The office said this was an "appropriate" response to the issue given the breaches were "unintentional" and the agency had decided to publish the dataset based on "the understanding that the privacy interests of all relevant individuals were protected".
“While there is some risk of re-identification of patients by a sufficiently informed and skilled person, this risk is extremely low,” its report found.
The OAIC also noted Health's "co-operative manner" and "quick and comprehensive" steps to minimise the privacy impact of the breach, as well as the changes it has made to date.
"This incident holds important lessons for custodians of valuable datasets containing personal information," the OAIC said in a statement.
"Determining whether information has been appropriately de-identified requires careful, expert, and likely independent evaluation. Who the information is released to must also be considered.
"This incident offers an opportunity for Australian government agencies to strengthen their approach to publishing data derived from personal information."
From July this year government agencies will be required to adhere to a privacy code, overseen by the OAIC, that details the steps all agencies need to take to meet their existing regulatory privacy obligations.
The Health breach in 2016 spurred the government to propose legislation that would criminalise the re-identification of open public sector data. The bill has stalled in the senate due to a lack of support from Labor and the Greens.