“PCEHR password” probably an access code
An Adelaide man who claimed he was emailed a “private login password” to the PCEHR probably received an erroneous personal access code (PAC) instead, the Department of Health said.
ABC News reported on Tuesday that it had been contacted by an unnamed man, who said he had received an email from the PCEHR system operator about having successfully registered.
The man said he had not applied for a record and that the email seemed intended for another person with the same last name.
"I'm just concerned that I was sent a private login password for something that I wasn't entitled to that potentially could seriously breach the privacy of an unsuspecting number of the public," he told the ABC.
A DoH spokesperson said the man may have been sent a PAC, which is used when consumers are signed up using assisted registration or through a Medicare office.
“Despite asking, via the ABC, for the complainant to contact us, he has not done so and it is difficult to ascertain what happened in this situation,” the spokesperson said.
“It is important to note that people who erroneously receive access codes cannot access another person's eHealth record without additional personal information.”
Industry sources say it is most likely that a person with the same surname was signed up during assisted registration and the registrar or the individual entered the wrong email address.
Consumers can be assisted to register in a medical practice where they are a “known customer”, or by Medicare Locals or Aspen Medical staff who have been funded recently to conduct a registration drive.
The consumer's details are sent to the PCEHR system operator through an assisted registration tool (ART) and the details are validated. The consumer can opt to receive a personal access code by SMS or email, allowing them access to the record on a one-off basis.
The DoH spokesperson said the individual must still have certain personal information before being allowed to view the record.
“Access codes are used after a person has been registered through assisted registration or at a Medicare office so they can log on for the first time,” the spokesperson said.
“The code is used once in combination with other information and then the person sets their own password. The code cannot be used without the additional information or used more than once.
“Given nearly 900,000 people are registered, a small number of typographical errors could be expected to occur in the despatch of access codes via text or email.
“However, the personal identification information, held privately by the original applicant, is a privacy safety net for access to that applicant's eHealth record.
“The Departments of Health and Human Services will investigate this if the man contacts us and identifies himself.”
Posted in Australian eHealth