PCEHR privacy breached twice in 12 months

The Department of Health has been forced to own up to two inadvertent breaches of the national health records system in the past 12 months, the Information Commissioner has revealed.

Legislation underpinning the Personally Controlled Electronic Health Record (PCEHR) demands that the department notifies the Office of the Information Commissioner of any privacy slip-ups that could impact on the integrity of personal medical data stored in the PCEHR system.

In December last year, the department acknowledged to the OAIC that a technical change had introduced a glitch into the system potentially allowing a handful of healthcare providers to access PCEHR user’s personal health notes without authorisation, for a short window of time.

A health spokesperson did not tell iTnews whether or not it thought the files had actually been viewed, but said “the fact that these notes potentially became accessible to healthcare providers is taken as being viewed, regardless of whether these were actually viewed”.

The department added, however that the error was fixed “within a few hours” of being picked up. It still got in touch with a handful of affected users to let them know what had happened.

The second breach took place six months later in May 2014, and saw some users given the option of linking their MyGov accounts to two PCEHR records, their own and that of a spouse or family member.

When the affected users logged into their MyGov account and followed the options to link it to their PCEHR file, they accidentally also linked to a second account, meaning two ‘open your ehealth record’ icons showed up on their landing page, both of which linked to different medical records.

The spokesperson told iTnews that the department has now “removed all links between these records and the small number of affected parties were contacted to explain what had occurred and offered assistance to re-establish the appropriate online access”.

“The system resolution to this incident has prevented this situation from occurring again.”

She also pointed out that the affected users has only been able to link to the second account when the spouse or family member it belonged to handed over their personal access code.

In its annual ehealth report, the OAIC said that it was satisfied with the remediation action that health took to address the first case and wouldn’t be taking any further action. It was still investigating the second case as of 30 June, but stressed that it was not looking at the security of the MyGov portal itself as a contributing factor.

Earlier this year, Health Minister Peter Dutton said he backed suggestions to make the use of the PCEHR opt-out, meaning Australians would automatically have a record established in their name. However he said the government would continue to consult with stakeholders before making its final decision.

The national system is also likely to be rebranded MyHR.