This appeared last week:
7 December 2018
DHS allows police access to private health data
While public outrage over access to My Health Record (MHR) data has forced a legislative change in favour of greater privacy, the police have been quietly dipping into another honeypot of health data: PBS and MBS records.
An investigation by The Medical Republic has revealed state, territory and federal police forces have sent around 2,600 requests a year for this sensitive health data to the Department of Human Services over the past two years. The department can legally disclose private health records to the police without a court order.
The department would not reveal how many of these requests were granted, but said the number of disclosures per year had remained stable over the past decade.
Once linked, Pharmaceutical Benefits Scheme (PBS) and Medicare Benefits Schedule (MBS) data, can paint a very detailed picture about a person’s medical history.
PBS data includes every rebatable medication purchased at a chemist. MBS records show which Medicare item numbers were billed for during each consultation, and what tests were ordered.
This information is as sensitive as MHR data, although it lacks the granularity of laboratory test results or GP notes, which can be included in a MHR. In November, the federal parliament passed legislation requiring police to produce a court order to access MHR data.
“This begs the question as to why similar protections are not being enacted in the MBS and PBS legislation,” Malcolm Crompton, a former privacy commissioner of Australia and founder and lead privacy advisor of Information Integrity Solutions, told The Medical Republic.
The legislative inconsistency was an “undeniable oddity” especially because most of the content of a MHR would, at least initially, simply be MBS and PBS data, he said.
Data sharing between the Department of Human Services and the police is shrouded in secrecy, with decisions being made behind closed doors by unnamed officials using an undisclosed set of public interest guidelines, which were issued by the secretary of the Department of Health in 2003.
The human services department has refused to make its 18-page privacy guidelines public under FOI laws, citing concerns that agencies might use their knowledge of the guidelines to trick the department.
“Specifically, with the benefit of having reviewed the document, requestors may construct their requests in a manner that undermines the department’s procedures (e.g. by misleading the delegate) in order to secure the disclosure of the requested information,” an FOI decision maker said.
Bernard Robertson-Dunn, PhD, the chair of the health committee at the Australian Privacy Foundation, said that argument was flawed and that the guidelines should be published.
“It could be argued that such secrecy and the implied suggestion that the police cannot be relied upon to do the ‘right thing’ is further undermining trust in public sector organisations,” he said.
“Is the department seriously suggesting that the police do not always act in the public interests?”
The department eventually provided a single case study for police use of private health data, four months after initially being asked about the purpose of disclosing this data, and only after The Medical Republic’s investigation exposed the scale of police requests.
The case study describes a scenario where the police are making an enquiry about a missing person whose safety is in question, and are using MBS and PBS claims information to determine whether the missing person had seen a doctor, obtained medications or updated their contact details.
The Medical Republic contacted each state, territory and federal police force for this investigation, but only the NT Police confirmed how many times the department had provided patient information.
Lots more here:
We also had this little morsel.
Commonwealth Bank customers' medical data exposed in potential privacy breach
By Dan Oakes, ABC Investigations
Updated
The Commonwealth Bank is urgently investigating a potential data breach that may have given its staff access to customers' sensitive medical information.
Key points:
- Sensitive medical data held by CommInsure was accessible to other staff members, including those making decisions on loan applications
- The bank says it has not found evidence any data was accessed from outside the insurance arm, but it is still investigating
- A former staff member says there was the potential for the data to be misused
The issue was discovered around late July as the bank made preparations for the $3.8 billion sale of its insurance arm, CommInsure, to the AIA group.
Medical information supplied by an unknown number of customers to CommInsure was made available to other arms of the bank, including to staff who decide whether to approve or decline loan applications.
The bank said since the discovery of the potential breach, it had been scouring records to ascertain whether the data was "accessed inappropriately" by employees.
While the bank said it had found no evidence of staff outside CommInsure accessing the personal data of CommInsure customers, it has informed the Office of the Australian Information Commissioner, the Australian Security and Investment Commission (ASIC) and the Australian Prudential Regulation Authority (APRA).
But it said it had not told its CommInsure customers, as it did not believe a privacy breach had occurred.
It also did not clarify to the ABC how many people may be affected.
Under the notifiable data breaches scheme, the bank would be obliged to inform customers if "there is unauthorised access to or unauthorised disclosure of personal information, or a loss of personal information that an entity holds", and that "this is likely to result in serious harm to one or more individuals".
The bank has retained consultancy firm McGrathNicol to oversee the investigation into whether data breaches occurred.
"We understand that some customers will be concerned about this shared internal access and we are taking steps to ensure access to all sensitive information associated with CommInsure is provided on a need to know basis," a spokeswoman for the bank said.
Lots more here:
All can think to one’s self is what exactly is going on here. It seems one way or another health private health information is being access and used all over. It is really time the OAIC investigated and closed down all the loopholes for the sake of public confidence!
David.
No comments:
Post a Comment