NOTIFIABLE DATA BREACH REPORT IS REASON TO BE WARY OF MY HEALTH RECORD

This week, the second-ever quarterly report for the Notifiable Data Breaches (NDB) scheme was released showing the OIAC have received 242 notifications in the period of 1 April to June 2018. This is up quite considerably from the 63 notifications received in the first quarter.

But what hasn’t changed, is the most represented industry in both reports continued to be health service providers – casting more doubt around the forthcoming My Health Record.
 
The same day this was released, Health Minister Greg Hunt announced he would will “tear up legislation”. The legislation he is referring to, was under Section 70 of the My Health Records Act 2012 granted the ability for law enforcement agencies to receive this information if they “reasonably believe” disclosure will aid “the prevention, detection, investigation, prosecution or punishment of criminal offences, breaches of law…” and “the protection of public revenue”.
This is a big move, as terminology like ‘reasonably believe’ and ‘the protection of public revenue’ places a different spin on how this data could be used. In essence, anything could be argued to be reasonably believed. Although the op-out period has been extended and ‘changes to the legislation’ are coming, it’s important for the public to still seriously weigh up the risks and benefits before using the system.
 
Let’s think of it in the context of the report. The top cause of the breaches were of malicious and criminal nature, followed by human error. It’s important to note that both of these are completely out of your control. What isn’t out of your control, is making an informed decision around how you proceed with government’s new record system.
 
If we look back on the very recent Facebook Cambridge Analytica breach – it’s evident that your data can turn up when you least except it. While this was mainly personal details, a lot more is at stake when it comes to matters of medicine.
 
The adoption of the Australian government’s My Health Record has the potential to leak far more intimate data. Data about your medical history such as mental health, medication, family planning, Hep C and HIV status, alcohol and recreational drug history, sexual preferences and abortions and I’m sure the list continues.
This is the kind of data, I, personally wouldn’t want to end up in the wrong hands, or any hands that I don’t know about for that matter. And there are many places it could end up.
 
To start there’s the obvious. Criminals intent on committing fraud and extortion, insurance companies who have a definite, if questionable, interest in using health history to shape policies and premiums. There are marketing firms as well as any organisations interested in your data for monetary gain.
 
And then there’s activists seeking to use your data to damage the reputation of public or private figures and really, any government agency that now has, or is granted in the future, authorised access to your very personal medical data for whatever reason.

These are all bodies that could potentially get a hold of your data – but it’s important to think about the consequences of this. From identity theft and fraud to blackmail, extortion and harassment, there are many ways your own data could be used against you.
 
Personal medical history getting into the hands of those with ulterior motives could result in opportunistic marketing, discrimination, job loss or even plain old embarrassment. No one wants their history splayed out for anyone with a mouse to access.
 
While I’m sure the government’s intention is not for your data to work against you, it is impossible to guarantee there won’t be a breach, and the value of this sort of information makes one (well, many) all but certain. This can be in the form of deliberate targeted hacking, drive-by breach (when your info is stumbled upon and not specifically targeted) and really likely, human error.
 
In the case of My Health Record, the most likely scenarios for a human error data breach would be, user sharing information accidentally (like an email sent to wrong address) and misconfiguration of security, database or application infrastructure. Add to this poor practises around information management, like weak security in health provider’s IT and it really is matter of “when” and not “if” a breach will occur.
 
Earlier this year Australia's Privacy Commissioner ruled that the federal Department of Health "unintentionally" breached privacy laws when it published de-identified health records of 2.5 million people online that allowed specific individuals to be identified based on data matching analytics.
 
And in what must be a bitter pill to swallow, the National Health Practitioner Ombudsman and Privacy Commissioner’s website itself was misconfigured for a period of time in the last fortnight – serving up to the world critical files like databases, backups and admin details. It was a misconfiguration for sure – but it’s the perfect example of one that could facilitate a really serious breach and drives home just how careful we need to be and how easy it is to get it wrong.
 
If you look across the pond, to the UK system called Care.data which had an ‘identical’ framework to My Health Record, and failed because drug and insurance companies were able to BUY patient data, it’s clear the system is vulnerable.
 
The thing is, the My Health Record system is actually a great idea. There are huge benefits to be gained from merging personal health records in order to ensure effective treatment and collaboration, fast and accurate allergy and emergency management, reduced prescribing errors and - especially for people with long-term health problems - an efficient way to document the patient’s history for all practitioners involved.
 
But, unlike passwords and financial information that if breached can be changed, your health history cannot – once it’s out there, it’s out there and you have no control over where it ends up.
 
It is a decision that individuals need to make, based on their own assessment of the benefit vs risk as it applies to them and their families. And it most certainly should not be opted-in by default. Facebook was opt-in by default and look where that, or, your information ended up.

Get in touch with our team to learn how the experts at Kiandra IT can get your online security up to scratch.