The Office of the Information Commissioner found two breaches of Australia’s Personally Controlled Electronic Health Record (PCEHR) in the past 12 months.

In its just published eHealth Annual Report 2013–14, the OAIC reports it received two mandatory data breach notifications under s 75 of the PCEHR Act.

“The OAIC was advised by the System Operator of the first data breach in December 2013. This data breach involved a technical change made to the system that meant that healthcare providers could view consumers’ personal health notes. Investigations by the System Operator identified the cause and a technical fix was put in place to prevent further access. The OAIC reviewed the information provided by the System Operator in relation to the breach and determined that the response was appropriate and that no further action was required.

“The System Operator notified the OAIC of the second data breach in May 2014. This breach involved consumers logging into their MyGov account and using their identify verification code (IVC) to access their own PCEHR and link their PCEHR to their MyGov account. In some instances they also accidentally set up access to another consumer’s PCEHR while still logged into their own MyGov account, linking that second consumer’s PCEHR to their own MyGov account. This resulted in the landing page of the first consumer’s PCEHR showing two ‘Open your eHealth record’ buttons, which provided links to open both consumers’ PCEHRs. The System Operator advised that containment strategies had been implemented to prevent similar incidents occurring. It should be noted that the cause of the breach was not related to MyGov. The OAIC sought further information from the System Operator about its response to the breach. The OAIC’s consideration of the data breach notification and the further information provided by the System Operator was ongoing at 30 June 2014.

The OAIC liaised with Health about other incidents relating to the PCEHR system which did not meet the criteria for mandatory data breach notifications under the PCEHR Act. In one of these incidents, an email containing a consumer’s IVC and other personal information was sent to the incorrect email address. The email recipient, however, did not have the other information required to access the consumer’s record. The OAIC provided recommendations to the System Operator about how it could reduce the impact of any future incidents of this type. The System Operator advised that it had implemented the OAIC’s recommendations.

The OAIC also sought legal advice from AGS to clarify the threshold for mandatory notification of data breaches.

The full report is available HERE