Medicare data breach prompts law change
The Federal Government has moved to tighten privacy laws after doctor provider numbers were disclosed in a breach of security around Medicare and Pharmaceutical Benefit Scheme data.
Attorney-General George Brandis has announced plans to amend the Privacy Act to make it a criminal offence to re-identify de-identified Government data following a discovery that encrypted MBS and PBS data published by the Health Department had been compromised.
The Department was alerted to the worrying security lapse by Melbourne University Department of Computing and Information researcher Dr Vanessa Teague, who found she was able to decrypt some service provider ID numbers in a dataset being used by her and several of her colleagues. She immediately alerted the Department.
In a statement, the Department said no patient information had been compromised in the incident.
“The dataset does not include names and addresses of service providers, and no patient information was identified,” the Department said. “However, as a result of the potential to extract some doctor and other service provider ID numbers, the Department of Health immediately removed the dataset from the website to ensure the security and integrity of the data is maintained.”
The security breach has come as a Senate inquiry hears concerns about data security surrounding the decision to award Telstra Health $220 million contract to design and operate the National Cancer Screening Registry, and follows the collapse of Australian Bureau of Statistics systems on census night.
The AMA said that although the data security breach was concerning, it should not result in governments withholding data.
The Association said that although it was paramount that personal information be properly secured and protected, it was important that de-identified and encrypted data be made available by Government to help inform research and the analysis of health information.
Senator Brandis reassured that the Government remained committed to making valuable data publicly available.
“The publication of major datasets is an important part of twenty-first century government providing a great benefit to the community,” the Attorney-General said. “It enables…policymakers, researchers and other interested persons to take full advantage of the opportunities that new technology creates to improve research and policy outcomes.”
But Senator Brandis said that advances in technology had meant that methods used in the past to de-identify data “may become susceptible to re-identification in the future”.
Under his proposed changes to the Privacy Act, it would be a criminal offence to re-identify de-identified Government data, encourage someone else to do it, or to publish or communicate such data.
The Health Department said it was conducting a “full, independent audit” of the process followed in compiling, reviewing and publishing the data, and promised that “this dataset will only be restored when concerns about its potential vulnerabilities are resolved”.
The Office of the Australian Information Commission is undertaking a separate investigation.