Tuesday, December 20, 2011

Just Why Have Medicare Not Got The Abuse Of Their Systems Under Control? Firm Penalties Are Vital.

The inadequacy of the present legislation protecting personal information held by Government agencies is made very clear in the following report.

Centrelink cracks down on misconduct

A CENTRELINK employee was sacked after accessing records belonging to customers and co-workers on 124 separate occasions, and misusing the agency's IT systems to benefit the people concerned.
The 26-year Centrelink veteran was terminated in early 2010, after an investigation into the many "unauthorised accesses” between January 2007 and January 2010.
The outcome is one of 14 cases of suspected breaches of the Australian Public Service code of conduct investigated by Centrelink over recent years; the heavily redacted findings have been published under Freedom of Information laws.
The staff member accessed one customer’s records on 61 occasions, and also a co-worker’s customer record on 61 occasions.
An investigation revealed that on three further occasions, unauthorised accesses to a former co-worker’s records resulted in alterations awarding benefits the individual was not entitled to receive.
The investigating professional standards officer dismissed the employee, saying "Centrelink takes these types of situations seriously".
Detecting and disciplining data snoops is a key priority for federal government agencies, with a number of high-profile data sensitive projects in train, including the merger of Medicare, Centrelink and Child Support and the creation of a national Healthcare Identifier database for the upcoming personally controlled e-health record system.
In the published sample cases, nine other Centrelink employees were found to be searching customer records of family members and acquaintances through the Income Support Information System or OnLine Search facility, incurring penalties of an average $50 to $100 per breach.
More examples of bad behaviour are found here:
With the Government planning to hold all our health records in data-bases managed by either Medicare Australia or a contract partner it seems clear the penalties are simply not adequate at present.
For me proven deliberate access without a proper reason should result in a no questions asked instant dismissal and if there has been any harm caused by the breach there should be serious fines of $20,000+. For breaches for profit etc. jail time should be a serious option.
It is only with dis-incentives of this level, clearly communicated to staff, will the problem be substantially addressed.
The Explanatory Memorandum for the PCEHR Bills (page 35 on) makes it clear that civil penalties for abuse of the PCEHR information (with some more draconian Crimes Act provisions available for serious criminal activities) will be enacted and this is a good thing - as long as all involved know how seriously such offenses will be taken and that the penalties handed out are really substantial to act as a proper incentive to do the right thing.
The first time a $110 fine is handed out will be the last time the penalty regime is taken seriously.
You can access the Explanatory Memorandum here:
We really need very powerful dis-incentives and comprehensive education to make this work - given the Medicare experience among others.
David.

5 comments:

B said...

quote:

... accessing records ... on 124 separate occasions

... many "unauthorised accesses” between January 2007 and January 2010.

The staff member accessed one customer’s records on 61 occasions, and also a co-worker’s customer record on 61 occasions.

unquote.

If that is a "key priority for federal government agencies", then I suggest the priority level should be raised a few notches.

Anonymous said...

I agree - the monitoring is not very proactive if this staff member could continue to access records for 3 years without being detected!!

"The outcome is one of 14 cases of suspected breaches " - how many more were there that they did not detect if it took them 3 years to find this one? Given they have over 25,000+ staff you can't tell me there were only 14 breaches.

As for the PCEHR data, will any staff be held accountable at all?

Anonymous said...

I think you need to do a tiny bit more research on this. Medicare do indeed have punitive measures for staff accessing records inappropriately. This is regularly covered in Senate enquiries of various flavours and then breathlessly reported by the papers.

Case in point - this story came from the senate inquiry to the HI service and directly addresses the issues raised here: http://www.theaustralian.com.au/australian-it/substantiated-privacy-breaches-in-2009-medicare/story-e6frgakx-1225840159226

The system isn't perfect by any means, but there are regular public airings of the grubby laundry that help to maintain a focus on managing it.

Dr David More MB PhD FACHI said...

The point is that the proof of the pudding is in the eating. Staff are still breaching and getting relatively minor penalties. I reckon if you knew you faced jail time that would reduce the incidence of the problem dramatically.

This is separate from the issue that all this breaching erodes public confidence - which we need if e-health is to have a hope of working.

David

Anonymous said...

And it is still after-the-event activity. Sometimes way after the event. In the case of e-health that can be too late if someone has disclosed information, misused IT systems and their access to them, and possibly altered information contained within records. (This case states that alterations were made to award benefits that an individual wasn't entitled to. Imagine a similar impact on a health record)

Public confidence is already shot to pieces with so many recent breaches in the banking and telco space that seem to pass with just an apology, no real consequence and no real fix to prevent the problem from happening. e-health deserves better.