WA health data published by teen to public-facing site

A “person under the age of 16” is the owner of the website that published the contents of pager communications among WA Health staff and other authorities, it has been revealed.

Western Australia Premier Mark McGowan said police had visited the individual and managed to have the site shut down.

The site contained “sensitive” and “confidential” information about suspected COVID-19 and child protection cases, among others.

The data was gleaned from a third-party operated pager service, the use of which was suspended late on Monday after the data leak became apparent.

“The individual who has published this information, that person was discovered and police have intervened there,” McGowan told a press conference.

“I'm advised the website has been shut down. It was [run by] a person under the age of 16, who obviously spends a lot of their life online, and did this sort of thing as some young people do.”

McGowan said a forensic examination of the data that had been on the website would follow.

“The secure information that may have been transmitted, the people whose names might be there, there's going to be a forensic examination to make sure those people are contacted and advised if any of their information was published inappropriately so that will go on,” he said.

“In terms of cyber security, the [WA] Office of Digital government is now investigating as to what else can be done and where else this might be occurring across government, and whether or not any other secure information is being transmitted in this way.”

McGowan said that he “personally thought pagers went out in the 90s”.

“I had no idea that they were still being used anywhere, let alone within the Western Australian government, but that's the arrangements put in place,” he said.

At a federal level, the Office of the Australian Information Commissioner (OAIC) indicated it has taken an interest in the incident.

“The OAIC is making urgent preliminary inquiries about the facts and circumstances of the reported data breach of patient information in Western Australia,” it said.

“The Federal Privacy Act covers private health providers, organisations with an annual turnover of more than $3 million and most Australian Government agencies. It does not generally cover West Australian state government departments.”

The pager network was operated by Vodafone, according to WA Today.

Vodafone told the paper it had advised customers of the paging system to shift to more secure messaging services for some time.