Medicare claims data sent to the wrong health records

The Department of Human Services has admitted it uploaded sensitive Medicare claims records to the wrong recipient’s electronic health records 86 times in the 12 months to 30 June 2016.

DHS, which is responsible for the operation of the Medicare medical rebate scheme, is obliged under law to report any data breaches related to the national My Health Record system to Privacy Commissioner Timothy Pilgrim.

It said it identified the privacy breaches during data-based checks on Medicare compliance.

The Medicare mix-ups form the bulk of the 94 individual health record breaches, affecting 103 people, that were reported to Pilgrim and the Office of the Australian Information Commissioner in 2015-16.

The count has jumped dramatically on past years - reported numbers typically sit in the single digits - in the 12 months the federal government started trialling its shift to opt-out registration for e-health records.

In 2014-15, the OAIC received seven mandatory data breach reports, and in 2013-14 it received just two. However, in neither of these years did the regulator specify how many individuals were affected by each reported incident.

The health department is in the midst of two trials of the opt-out process that will see more than one million residents in northern Queensland and the Blue Mountains region of NSW automatically signed up for a record unless they proactively refuse.

However, a spokesperson for the DHS told iTnews the rate of breaches still only accounts for a tiny fraction of health record users.

“These types of cases are quite rare – with more than 4 million people registered at this time for a My Health Record, data breaches represent around 0.004 percent," the spokesperson said.

"The OAIC has said it considers the department has acted appropriately in assessing data breaches, containing any disclosure of personal information and notifying affected individuals."

The department did not offer any other details on how the upload error occurred.

The privacy regulator is still running open investigations on a number of the reports made by Medicare, and said it would close its probes once it receives further clarification of the circumstances surrounding the breaches.

The agency also alerted the privacy office to five other data breaches related to ID mix-ups, where two record holders with very similar identifying information (such as names and birthdays) had the other’s personal data accidentally linked to their account.

The “intertwined” Medicare records issue is one the Department of Health has been grappling with for a number of years.