ADHA records two My Health Record security incidents in FY20
The agency responsible for oversight of My Health Record has revealed there were two incidents that compromised the medical records system during the 2019-20 financial year.
In its annual report, the Australian Digital Health Agency (ADHA) outlined how one matter reported to the Office of the Australian Information Commissioner (OAIC) involved a breach to the external IT infrastructure that supports the My Health Record System, but assured that no health information was stolen.
“This potential threat to the supporting IT infrastructure connected to the My Health Record system was identified and promptly addressed. There was no impact to the safety of health information in the system,” ADHA stated.
The other breach was in relation to unauthorised access to an individual’s My Health Record, which was reported by a state or territory authority. The ADHA said the incident involved an individual who was receiving treatment from a healthcare facility and the login used to access the record belonged to a member of the person’s treating team.
The number of breaches during 2019-20 was a significant improvement on last year’s 38 cases.
As of 30 June 2020, there were 22.8 million active records on the My Health Record system. A total of 1.75 million people accessed their record via the national consumer portal and a total of 810 million documents were uploaded to the My Health Record system.
During the financial year, ADHA said it also saw significant increases in pathology, diagnostic imaging, and dispense documents, which it attributed to increases in clinical software connections.
Nationally, 67% of private pathology labs were connected to the My Health Record system, which was short of the 80% target that ADHA had set out to achieve for 2019-20. Meanwhile, 23% of private diagnostic imagining practices connected and shared reports with the system, exceeding the 2019-20 target of 20%.
“Extensive engagement with private sector pathology and diagnostic imaging providers continued throughout 2019–20, supporting providers with their connection and software upgrade challenges. Negotiations with several larger organisations regarding their willingness to participate were ongoing, which accounted for the shortfall in private pathology participation for the year,” ADHA reported.
The financial report also outlined that due to the prioritisation of COVID-19 response activities across the health sector, it impacted on project delivery and resources. This included delaying the ability of a number of software providers to deliver enhancements for the ADHA’s secure messaging facility and the establishment of a formal governance arrangement to an implementation plan for the interoperability principles.
During Senate Estimate on Monday, Department of Health officials revealed over 7 million Australians have now downloaded and registered for the COVIDSafe app but confirmed that the app was only used to trace 17 unique cases that were not otherwise identified by manual contact tracing.
“There hasn’t been a change in a number of additional unique contacts that have not been identified in an additional way since we last spoke to the COVID committee [on 29 September],” Department of Health Associate Secretary Caroline Edwards said.
Shadow Minister for Health Chris Bowen and Shadow Minister for Government Services Bill Shorten have, in turn, called the Morrison government out for spending money on an app that has produced little return.
“The government has spent up to AU$70 million on the COVIDSafe app, (most of it on marketing), for 17 traces,” they said. “This is AU$4 million per unique contact.”
The Department of Health was also questioned about the amount of money they spent on external contractors and consultants in 2019-20 during Senate Estimates on Monday.
In response, they outlined that Health had spent a total of AU$127.6 million on 899 contractors and engaged 282 consultants for a total contract value of AU$49.3 million as of 30 June 2020.
Of those, the five largest contracts were awarded to Health Consultants Pty Ltd for AU$1.6 million, KPMG for AU$1.5 million, NSW Council for Intellectual Disability at AU$890,000, and another two contracts were awarded to Pricewaterhouse Coopers for a value AU$1 million and AU$865,000 each.
On the question of whether external consultants or contractors were used to develop the COVIDSafe app, Edwards said the department only used external contractors for legal and privacy advice.
“The only external contract was the privacy assessment, so we got an external contractor to do the privacy assessment, which would be the appropriate thing to do. Most of the development of the actual technical material happened in the Digital Transformation Agency. We didn’t engage anybody for that,” she said.