ADHA reports ‘My Health Record’ hit by 42 data breaches in 2017-2018

• My Health Record recorded 42 data breaches between July 1, 2017, and June 30, 2018.
• ADHA reported that most of the data breaches were due to attempted Medicare fraud

The Australian Digital Health Agency (ADHA) said in its 2017-18 annual report that ‘My Health Record’ recorded 42 data breaches between July 1, 2017, and June 30, 2018. Most of the data breaches were due to attempted Medicare fraud, ADHA reported.

Three of the breaches were reported to the Office of the Australian Information Commissioner (OAIC). Out of the three, two breaches occurred due to suspected Medicare fraud which resulted in the potential attacker accessing records without permission. The other one involved unauthorized access as a result of an incorrect Parental Authorised Representative being assigned to a child.

Most of the data breaches due to attempted Medicare fraud

ADHA said that 17 breaches were identified from the Department of Human Services identifying intertwined records where two or more people have been using the same Medicare record. However, The Department of Human Services had corrected the records in all such cases. ADHA also said in its annual report that 22 breaches were due to attempted Medicare fraud where unauthorized claims appeared incorrectly in the My Health Record of the affected users.

“There have been no purposeful or malicious attacks compromising the integrity or security of the My Health Record system,” ADHA stated in its report.

“In 2017–18 the Agency, as System Operator, registered 935,206 people for a My Health Record. There were a total of 42,877 cancelled registrations during the year,” ADHA added.

ADHA also said that around 221,580,930 documents were uploaded to the system during 2017-18, and almost 798,000 users accessed their records through its portal during that period.

Australians had time-period until January 31 to opt-out of the national health record system and 1.147 million people had removed themselves from the system by October 19. However, ADHA said that it was content with the result.

"After spending 2018 focused on tearing down his own Prime Minister, Minister Hunt must now focus on delivering a My Health Record that is secure and on a budget," Shadow Health Minister Catherine King said in a statement.

Regarding the privacy concerns related to its operations, ADHA said that it had created a privacy team to "embed privacy within the functions and culture of the agency". It is to be noted that its director of privacy had resigned earlier in November 2018 over privacy concerns.

“Maintaining community trust in the privacy and security of the My Health Record system is imperative to the success of the program. The privacy team takes a proactive, privacy by design approach to managing the development and operation of the My Health Record system,” ADHA wrote in its annual report.

Penalties for improper use of My Health Record

In November, the government announced that it would increase the maximum penalties for improper use of My Health Record data. The penalties included the following,

• A maximum jail term of five years instead of two years
• A maximum fine AU$315,000. The initial fine was AU$126,000, and
• Private health insurers will not be able to access health or de-identified data.

Moreover, the government announced that employers will not be able to use health information to discriminate against employees or potential employees.

"Importantly, employers or insurers cannot simply avoid the prohibition by asking the individuals to share their My Health Record information with them," Health Minister Greg Hunt said.

Parents who have restricted access to a child and parents who are a potential risk to a child or to the person associated with the child, will not be allowed to become an authorized representative.