Wednesday, January 09, 2019
ZDNet Does A Much Better Than Average Job Of Explaining The #myHealthRecord Data Breaches.
This appeared last week:
Highest category of breaches was due to attempted Medicare fraud, the Australian Digital Health Agency has said in its 2017-18 annual report.
Australia's troubled My Health Record recorded 42 data breaches between July 1, 2017 and June 30, 2018, the Australian Digital Health Agency (ADHA) has said in its 2017-18 annual report [PDF].
Three of the breaches were reported to the Office of the Australian Information Commissioner (OAIC) and involved one breach of unauthorised access due to an incorrect Parental Authorised Representative being assigned to a child, and two breaches due to suspected Medicare fraud that resulted in the potential fraudster seeing records without authority.
ADHA also said 17 breaches were found from the Department of Human Services identifying intertwined records where two or more people have been using the same Medicare record, and 22 breaches from attempted Medicare fraud where unauthorised claims appeared incorrectly in the My Health Record of affected users.
"There have been no purposeful or malicious attacks compromising the integrity or security of the My Health Record system," ADHA said.
The Department of Human Services had corrected the records in all instances, ADHA said.
The My Health Record operator said as of July 27, 2018, almost one quarter of Australians had a record.
"In 2017–18 the Agency, as System Operator, registered 935,206 people for a My Health Record," it said. "There were a total of 42,877 cancelled registrations during the year."
ADHA said 221,580,930 documents were uploaded to the system in 2017-18, and 798,000 people accessed their records through its portal in that time frame.
As of June, ADHA reported connecting 178 of the country's 208 private hospitals to My Health Record, and 815 of Australia's 1,108 public hospitals to the system.
Australians have until January 31 to opt-out of the national health record system or they will have a record created for them if they do not already have one.
By October 19, 1.147 million had removed themselves from the system, but ADHA said it was happy with the result.
In the wake of the annual report, Labor has reiterated its call for OAIC to review the system, and hit out at the AU$20 million deficit that ADHA reported.
There is a good deal more here:
This paragraph is the one that matters:
“Three of the breaches were reported to the Office of the Australian Information Commissioner (OAIC) and involved one breach of unauthorised access due to an incorrect Parental Authorised Representative being assigned to a child, and two breaches due to suspected Medicare fraud that resulted in the potential fraudster seeing records without authority.”
What this says is that there was 1 human error and two episodes where a fraudster viewed viewed som records. Frankly no matter what the sophistry of the ADHA the last two were unauthorised viewing of records and were clearly breaches in any common understanding of the word.
Chris Duckett does, by the way, accurately report what page 59 of the Annual Report says.
So the ADHA is flat out lying with all this. It is a simple as that!
You can see how blatant they are from their release (the first para is just blatant):
31 December 2018
There have been no reported unauthorised views of a person’s health information in My Health Record in the six years of its operations. More than 6.3 million people have a My Health Record.
The Agency, which was established in July 2016, has a legal responsibility under the My Health Records Act 2012 to report ‘notifiable data breaches’ to the Office of the Australian Information Commissioner (OAIC). These ‘notifiable data breaches’ have been routinely reported by the Agency and the Department of Human Services which runs the identity scheme which underpins My Health Record to the OAIC. These reports are published annually by the OAIC. Details are also described on page 59 of the Agency’s 2017-2018 Annual Report. Errors of this type occur due to either alleged fraudulent Medicare claims or manual human processing errors, as was the case for the breaches reported during the 2017-2018 financial year. There has been no reported unauthorised viewing of any individual’s health information from a ‘notifiable data breach’.
In each case, the affected individuals have been contacted and the OAIC has examined the circumstances of the breach and no unauthorised breach has been determined. In all instances of data breaches reported by the Chief Executive Medicare, the Department of Human Services took action to correct the affected My Health Records.
When a person’s health information is stored in different places – hospitals, doctors’ offices, filing cabinets, computers – they don’t know who is accessing it or when. In a My Health Record, every access is listed in a persons’ record access history. A person can be notified by text message about who is accessing their record or restrict access to all or parts of their record.
If a person feels someone has looked at their record when they shouldn’t have, they can call on 1800 723 471 and the Australian Digital Health Agency will investigate immediately. It is criminal for someone to have unauthorised access to a record, and serious penalties apply.
Here is the link:
Changing topics, the report of the usage of the system, highlighting that less than 1/6 of those individuals currently with a record had actually accessed the portal for any reason whatsoever over a full year – even to check if that they are lucky enough to have one – or not, is revealing. Note this is less than 4% of the whole population who have felt the need to access their record – and probably much less given the very few who actually use the system probably have multiple log-on episodes.
Just why the ADHA will not release useful and worthwhile usage stats is a mystery – we know they have them from the Board Minutes – and basically confirms the system is a flop and totally uninteresting or useful to most. That the move to opt-out is being inflicted on us all just confirms what a popular failure it is.
Posted by Dr David G More MB PhD at Wednesday, January 09, 2019