The number of data breaches involving the My Health Record system fell from 42 to 37 in the past financial year, despite a significant uptick in Australians with a personal electronic health record.
In its most recent annual report, the Australian Digital Health Agency said “38 matters (in 35 notifications) were reported to the Office of the Australian Information Commissioner” in 2018-19.
This compares with “42 data breaches (in 28 notifications)” in 2017-18 and “35 data breach notifications” in 2016-17.
However, as with previous years, there were “no purposeful or malicious attacks compromising the integrity or security of the My Health Record system” over the financial year.
Of the 38 “matters” reported to the privacy watchdog, the My Health Record system operator classified 37 as breaches and one as a “suspected breach”.
While most of these were “attributed to administrative errors” such as cases of intertwined Medicare records and other processing errors, three cases involved “unauthorised access”.
ADHA said two of these cases were the result of “suspected fraud against the Medicare program where the incorrect records appearing in the My Health Record of the affected individual were also viewed without authority by the individual undertaking the suspected fraudulent activity”.
The only other confirmed breach involving unauthorised access was the result of “an incorrect parental authorised representative being assigned to a child”.
The remaining 34 breaches were caused by activities undertaken by Service Australia, which operates the repository on behalf of ADHA.
The majority of these (27) resulted from “data integrity activity ... to identify intertwined Medicare records”, while a further seven resulted from “suspected fraud against the Medicare program involving unauthorised Medicare claims being submitted, with the incorrect Medicare data subsequently appearing in the My Health Record of the affected customers”.
“In all instances, Services Australia took action to correct the affected My Health Records,” ADHA said.
While data breaches were slightly lower than in previous years, the same could not be said from complaints.
After falling from 64 to 57 between 2016-17 and 2017-18, the number of formal complaints climbed to 304 in 2018-19.
This was helped along by the extended opt-out period between July 2018 and January 2019, which saw in excess of 2.5 million Australians elect not have a personal electronic health record created.
As at the end of June 2019, the ADHA estimated there were a total of 22.55 million My Health Records, though only 1.74 million individuals had accessed them during this time.
The ADHA recently kicked off its search for a new My Health Record national infrastructure provider, calling for information about "potential future options for the e-health system".
The new provider will eventually replace Accenture, which has held the lucrative deal for the design, build and integration of the system since 2011.
While the deal was set to expire at the end of the 2020 financial year, the agency has reportedly extended the contract with the IT services provider by another year, according to PulseIT.
