Wednesday, November 16, 2016
Talk About A Report That Tells You Nothing At All Useful! This One Rates!
This popped up last week:
Over the previous financial year, Australia's Information Commissioner found 94 breaches affecting a total of 98 healthcare recipients that held a My Health Record.
During the 2015-16 financial year, the Office of the Australian Information Commissioner (OAIC) received 16 mandatory data breach notifications, which recorded 94 separate breaches.
According to the Annual report of the Australian Information Commissioner's activities in relation to digital health 2015-16 published on Thursday by Australian Information Commissioner and Australian Privacy Commissioner Timothy Pilgrim, the 94 separate breaches affected a total of 103 healthcare recipients, 98 of whom had a My Health Record at the time of breach.
In his report [PDF], Pilgrim said the OAIC received three data breach notifications from the system operator, with the first of the notifications relating to MyGov accounts held by healthcare recipients being incorrectly linked to the My Health Records of other healthcare recipients.
The second and third notifications related to unauthorised My Health Record access by a third party, the report says.
13 notifications were reported by the chief executive of Medicare and included five notifications that were about five separate data breaches related to intertwined Medicare records of healthcare recipients with similar identifying information, which resulted in the Medicare claims data belonging to one healthcare recipient being available in the digital health record of another.
The report says the remaining eight notifications involved 86 separate breaches in which Medicare claims data was uploaded to incorrect digital health records.
"These breaches were identified from the Medicare compliance program conducted by the Department of Human Services," the report explains.
Lots more here:
You can see the reports for the last few years here:
Here is the 2015-16 Annual Report Executive Summary.
This annual report sets out the Australian Information Commissioner’s digital health compliance and enforcement activity during 2015–16, in accordance with s 106 of the My Health Records Act 2012 (My Health Records Act) and s 30 of the Healthcare Identifiers Act 2010 (HI Act). The report also provides information about the Office of the Australian Information Commissioner’s (OAIC) other digital health activities, including its assessment program, development of guidance material, provision of advice, and liaison with key stakeholders.
This was the fourth year of operation of the My Health Record system and the sixth year of the Healthcare Identifiers (HI) Service, a critical enabler for the My Health Record system and digital health generally.
The management of personal information is at the core of both the My Health Record system and the HI Service (collectively referred to as digital health in this report). In recognition of the special sensitivity of health information, the My Health Records Act and the HI Act contain provisions that protect and restrict the collection, use and disclosure of personal information.
The Australian Information Commissioner oversees compliance with those provisions and is the independent regulator of the privacy aspects of the My Health Record system and the HI Service.
The 2015–16 financial year saw significant changes made to the My Health Record system.
The system started in 2012 as an opt–in system where an individual needed to register in order to get their My Health Record. However, from March 2016, the Australian Government commenced a trial of opt–out system participation in Far North Queensland and in the Nepean Blue Mountains region of NSW. A My Health Record has now been created for each individual living in those areas, unless the individual chose to opt–out of participating in the trial. Changes to the My Health Records Act introduced by the Health Legislation Amendment (eHealth) Act 2015 enabled the trial to be undertaken.
That amendment Act also introduced a number of other changes across digital health legislation and the Privacy Act 1988 (Privacy Act), including streamlining the personal information handling authorisations, and introducing additional civil and criminal penalties for privacy breaches.
In 2015–16, the OAIC received 16 mandatory data breach notifications. These notifications recorded 94 separate breaches affecting a total of 103 healthcare recipients, 98 of whom had a My Health Record at the time of the breaches. Five of these notifications remain open at the end of the reporting period.
The OAIC received one complaint regarding the My Health Record system and no complaints relating to the HI Service. In addition to handling data breach notifications, the OAIC carried out a full program of digital health–related work, including:
› commencement of three1 privacy assessments and completion of two assessments from the previous year
› commenting on draft legislation and preparing a submission to the Senate Community Affairs Legislation Committee inquiry into the Health Legislation Amendment (eHealth) Bil 2015
› providing advice to the Department of Health (Health) on a range of privacy matters and documents in connection with the planning for, and conduct of, the opt–out trials
› developing, revising and updating guidance materials for a range of health and consumer audiences, including publishing consumer fact sheets containing key privacy information on the opt–out trials
› publishing the OAIC’s Guide to mandatory data breach notification in the My Health Record system, which explains the mandatory reporting obligations under the My Health Records Act and outlines the steps for dealing with a data breach
› monitoring developments in digital health, the My Health Record system and the HI Service.
The OAIC’s digital health activities were carried out under a memorandum of understanding (MOU) with Health, signed on 30 June 2015 and which continued to 30 June 2016. More information about the OAIC’s MOU with Health is provided below in section 2 of this report. The MOU can be accessed on the OAIC’s website: oaic.gov.au.
----- End Extract
Reading the detail of the report you discover.
1. The OAIC was paid over $1.8M for its year of monitoring.
2. It looks like they need to establish a new relationship with ADHA after June 30, 2016.
3. The report identifies a fair few breaches (50+) (as in the article above) but really does not explain what had happened to the people impacted.
4. Someone made a complaint but as far as I can tell there was no explanation of who, what how etc.
5. The report seems rather repetitive.
Overall I don’t felt we are all that much the wiser about all these breaches and what has been done to prevent them in the future.
(I have a suspicion it is mostly due to errors in the IHI data, but this does not seem to be made clear)
We all deserve more transparency!
Posted by Dr David More MB PhD FACHI at Wednesday, November 16, 2016