Australian E-Health records breached twice in the last year

Australia's Office of the Information Commissioner (OAIC) has released its Annual report of the Information Commissioner’s activities in relation to eHealth 2013–14, complete with a report on two data breaches in the systems used to store personally controlled electronic health records (PCEHRs).

The first was notified in December 2013 and “involved a technical change made to the system that meant that healthcare providers could view consumers’ personal health notes.”

“Investigations by the System Operator identified the cause and a technical fix was put in place to prevent further access,” the report continues, and this response was deemed “appropriate and … no further action was required.”

The second breach looks nastier and came to light in May 2014. “This breach involved consumers logging into their MyGov account and using their identify verification code (IVC) to access their own PCEHR and link their PCEHR to their MyGov account,” the report explains. “In some instances they also accidentally set up access to another consumer’s PCEHR while still logged into their own MyGov account, linking that second consumer’s PCEHR to their own MyGov account. This resulted in the landing page of the first consumer’s PCEHR showing two ‘Open your eHealth record’ buttons, which provided links to open both consumers’ PCEHRs.”

Unspecified “strategies” were “implemented to prevent similar incidents occurring”. The affair's not over: the report says “consideration of the data breach notification and the further information provided by the System Operator was ongoing at 30 June 2014.”

The “System Operator” is the secretary of the Department of Health. Accenture and Orion Health are known to have built the PCHERs system, with a fair bit of Oracle software below including Big Red's Identity and Access Management tools.

The news isn't all bad: in the last year the OAIC also managed to establish a new “Agreement for information sharing and complaint referral relating to the personally controlled electronic health (eHealth) record system between the OAIC and the System Operator.” So the next time there's a breach, at least you've got someone to complain to. ®