Posted on December 19, 2017 at 5:06 PM
An estimated 2.9 million patient records have recently been accidentally leaked and include highly sensitive medical information including medical treatment, pregnancy terminations, and medications.
The Australian Department of Health has accidentally exposed highly sensitive health records of around 2.9 million Australians which includes information such as current medical treatment, medication, past surgical records, and pregnancy records. The data forms part of the Medicare Benefits Scheme and Pharmaceutical Benefits Scheme which was previously made available to the public during August 2016.
The health records, which was intended to be anonymised, also included the billing information of millions of Australian patients between 1984 and 2014.
However, according to the University of Melbourne researchers, the released information could be easily traced back to the relevant patients, without needing to resort to complex decryption methods. A possible attacker could merely use information regarding the patient, such as year of birth and prior medical procedures.
According to Dr Chris Culnane, the exposed records could easily be retraced to the patient’s real-life identity by simply using information about the patient that was already available on the record, such as year of birth and previous surgeries. Culnane formed part of the research team, along with Dr. Vanessa Teague, and Dr. Benjamin Rubinstein.
Dr. Culnane added that this latest instance illustrated how easily anonymization could fail, which in turn posed several questions regarding the fine balance between an individuals’ right to privacy and data sharing.
The Department of Health has removed the data shortly after the research team notified them about the data breach. However, the data was publicly available for a month before being discovered and removed.
The research team demonstrated that they could identify patient records, which included the identification of seven Australian public figures, such as current or former MPs, and an Australian football player.
According to Dr. Rubinstein, while a unique match is not always accurate, cross-referencing data allowed them to accurately match records to patients.
Dr. Rubinstein added that the exposed data only included about 10% of the total Australian population, which created the possibility of coincidental matches to individuals who weren’t included in the exposed data. However, Dr. Rubinstein added that the researching team improved their linking process by cross-referencing the available data with the second set of billing information. The team also considered the uniqueness of each record in order to correctly re-identify the records.
According to Dr. Teague, an initiative such as publicly releasing sensitive information under a cloud of anonymization, such as tax records or Centrelink data is likely to fail. Dr. Teague added that the initiative puts two goals in the balance which are inconsistent with one another, they want to inform the public while protecting the privacy of individuals, something which Dr. Teague believes to be impossible.
Dr. Teague added that sensitive information which is made publicly available needs a controlled release, as well as a secure research environment if it is to succeed. She concluded by stating that prohibiting re-identification will not solve the issue, only make it more complex, as it will stifle both research and the general public discourse regarding the issue.
According to the Health Department, no patient has actually been affected by the breach and added that they consider the matter a top priority, and has since the discovery notified the Privacy Commissioner.
According to a spokesperson from the Department of Health, the information was removed immediately after being notified of the breach, and the Department has since ceased the project’s operation. The spokesperson added that this issue has been around since 2016 after the Australian Government took legal steps to manage and protect sensitive information. The Department of Health has since partnered with the researchers from the University of Melbourne to optimize the data sharing processes.
However, the spokesperson for digital rights, Senator Jordon Steele-John declared the latest incident as a data breach on a grand scale.
In an interview with BuzzFeed News, Steele-John noted that prohibiting data sharing will not stop data breaches from occurring and that the issue lies in the ease in which individual records can be re-identified.