Fixes are in for PCEHR data breaches
The Department of Health (DoH) has reported two data breaches of the PCEHR, one in which healthcare providers were technically able to view a consumer's personal health notes and another in which individuals were able to inadvertently link a family member's PCEHR to their own myGov account.
Revealed in the Office of the Australian Information Commissioner's (OAIC) annual report of its activities in relation to eHealth, tabled on Tuesday, the department says a technical fix has been put in place for the first breach and containment strategies put in place for the second.
The report shows that in May this year, the department notified the OAIC that consumers who had logged into their myGov account and used their identify verification code (IVC) to link up their PCEHR were also able to set up access to another consumer's PCEHR.
The IVC is emailed or SMSed to the consumer after they are registered for the PCEHR through assisted registration, a streamlined way of registering through a healthcare provider's software. The consumer can then set up or log in to myGov at home and use the IVC to access their PCEHR.
A spokesperson for the Department of Health said a small number of people used their own myGov account to access both their own and their spouse's or another family member's existing eHealth record.
“This occurred where a family member made their access code (IVC) available to the other person opening their eHealth record,” the spokesperson said.
According to the OAIC, this resulted in the landing page of the first consumer’s PCEHR showing two ‘Open your eHealth record’ buttons, which provided links to open both consumers’ PCEHRs.
“The system operator [the DoH secretary] removed all links between these records and the small number of affected parties were contacted to explain what had occurred and offered assistance to re-establish the appropriate online access,” the DoH spokesperson said.
“The system resolution to this incident has prevented this situation from occurring again.”
The OAIC noted that the cause of the breach was not related to MyGov, an online portal to government services such as Medicare, the PCEHR, Centrelink, the DVA, the National Disability Insurance Scheme and most recently the Australian Taxation Office.
MyGov is operated by the Department of Human Services. In September, Human Services Minister Marise Payne reported that the system now had five million active users.
In May, it was revealed that MyGov was vulnerable to common cross-site scripting flaw.
DHS rejected these concerns,, saying myGov met all of the government's security requirements for the protection of personal information.
The other potential breach was notified to the OAIC in December last year. The OAIC reports that this data breach involved a technical change made to the system that meant that healthcare providers could view consumers’ personal health notes.
The personal section of the PCEHR is where consumers can add their own notes or a personal health diary and is not supposed to be accessible to clinicians.
“Investigations by the system operator identified the cause and a technical fix was put in place to prevent further access,” the OAIC said. “The OAIC reviewed the information provided by the system operator in relation to the breach and determined that the response was appropriate and that no further action was required.”
The department confirmed that personal health notes of a small number of registered consumers were accessible by their authorised healthcare providers, but there is no evidence that it occurred.
“The problem was corrected through a technical fix within a few hours of being identified,” the DoH spokesperson said.
“The fact that these notes potentially became accessible to healthcare providers is taken as being viewed, regardless of whether these were actually viewed.
“The small number of affected consumers were contacted and advised of the breach, and were satisfied with the measures taken by the system operator.”
The OAIC said it had also liaised with the department about other incidents relating to the PCEHR system which did not meet the criteria for mandatory data breach notifications under the act.
This includes an incident in September last year in which an email containing a consumer’s IVC and other personal information was sent to the incorrect email address.
“The email recipient, however, did not have the other information required to access the consumer’s record,” the OAIC report says. “The OAIC provided recommendations to the system operator about how it could reduce the impact of any future incidents of this type. The system operator advised that it had implemented the OAIC’s recommendations.”
The OAIC's annual report also says it received no complaints about the PCEHR system in 2013-14.
During the period, it undertook two audits of the system operator, one involving the department's policies and procedures for the collection of personal information through the PCEHR consumer registration process.
The other was to examine the storage and security of personal information held in the National Repositories Service, the database that contains all of the clinical documents held on the system, which is located in a data centre in Sydney.
It also audited the assisted registration policies of 10 healthcare provider organisations to assess whether those organisation's policies addressed the new Australian Privacy Principles, along with the assisted registration practices of the Western Sydney Medicare Local (WSML) and the privacy collection notice of Calvary Health Care ACT in relation to the PCEHR and the Healthcare Identifiers (HI Service).
The OAIC reports that as of June 30, it was awaiting final comments from the system operator on these audits.
The Australian Medical Association (AMA) recently reported that the OAIC would shortly begin conducting assessments of a small sample of general practices that use the PCEHR to see if the practices have appropriate information handling processes to protect the security of personal information.
“The OAIC will make suggestions if it considers improvements can be made to those practices,” the AMA said. “The aim of the assessments is to determine if there is a need for the OAIC to undertake education in this area.
“The OAIC has indicated it is likely that the practices assessed will be based in NSW or ACT. The determination of which organisations to assess will be dependent on their use of the PCEHR system.”
The OAIC also reported that it had received and finalised two complaints from the same person about the use of the Individual Healthcare Identifier (IHI).
The federal government announced in the May budget that it was disbanding the OAIC on January 1, 2015. The functions of the office, which includes the Information Commissioner, the Privacy Commissioner and the Freedom of Information Commissioner, will revert to the structure in place before it was established in 2010.
The Privacy Commissioner will continue as an independent agent but the FOI Commissioner and the Information Commissioner will no longer exist. The FOI Act will be jointly administered by the federal Attorney-General’s Department, the Administrative Appeals Tribunal and the Commonwealth Ombudsman.
It is unclear what agency will have oversight of the privacy aspects of the PCEHR in future. The OAIC has been providing advice and oversight on the PCEHR through a memorandum of understanding with DoH, along with an independent regulatory role for the HI Service.
The OAIC reports that it received $509,898 for oversight of the HI Service and $1,294,818 for oversight of the PCEHR system in 2013-14.
Posted in Australian eHealth