My Health Record hit by 99 data breaches
Ninety-nine data breaches have occurred in the controversial My Health Record system in six years but the agency responsible for its rollout insists there has never been a "security or privacy" breach.
Health Minister Greg Hunt has also defended the digital records, which will be created for every Australian from this Thursday unless individuals opt out.
A spokeswoman for the Minister said: "There has never been a reported security breach of the system."
The extent of the breaches to hit the My Health Record has been revealed by the Office of the Australian Information Commissioner, which is notified under mandatory reporting laws when a data breach occurs.
Eleven data breaches occurred in just 11 weeks between July and September 13 this year, according to the OAIC's submission to a recent Senate Inquiry into the My Health Record.
A further 88 cases occurred between July 2012 and June this year, including at least eight cases where an unauthorised third party had access to records.
Another case included a MyGov mixup where a number of individuals were linked to the wrong record.
Other cases included Medicare data being uploaded to the wrong account because individuals had similar demographic information, while other cases involved individuals having the incorrect data uploaded because fraudsters made Medicare claims in their name.
Mr Hunt's office said the Australian Digital Health Agency had "no evidence that any of these matters led to unauthorised access to any individuals' health information".
An ADHA spokesman told News Corp the 11 most recent breaches were either administrative processing errors where inaccurate or incorrect data was uploaded to the system, which occurred in six cases, or were cases of allegedly fraudulent Medicare claims.
"These do not constitute privacy or security breaches to the system," he said.
"In six years of operation, there has never been a reported security or privacy breach of the system."
Asked about the eight cases where unauthorised third parties had access to My Health Records, the spokesman said: "The term 'privacy breach' is not defined in legislation."
"The Australian Digital Health Agency notifies the OAIC in all instances where there may have been a 'notifiable data breach' which is a defined term."
Labor's Health spokeswoman Catherine King said the confusion around these data breaches would only add to public concerns about the My Health Record.
"Minister Hunt says there have been no breaches - but the Office of the Australian Information Commissioner appears to say something different," she told News Corp.
"The Minister should publicly explain this discrepancy and stop hiding behind ridiculous technicalities."
Ms King again called for a review of the My Health Record's privacy provisions "so that lingering privacy concerns like these can be properly addressed".
But she welcomed the Health Minister's announcement last week that the government would make further changes to the health records, including boosting the penalties for improper use of a My Health Record from two years to five years' jail and more than doubling the fines for individuals to $315,000.
It will also include stronger protections against the misuse of records in domestic violence situations and to prohibit employers from accessing potential employees records.
Australians will have a My Health Record created for them from Thursday this week unless they opt out but the government intends to introduce changes to the legislation so people can permanently delete their record or just parts of their record at any time in their lives.
Cyber security expert Nigel Phair, from the University of New South Wales, said the overall My Health Record database was unlikely to be hacked but he predicted data breaches would occur around compliance and governance of the system, including doctors potentially viewing records they shouldn't out of personal interest.
"More people are looking at it. It's a numbers game, there's going to be more breaches," he said.
"Some of those are going to just be admin oversights and some of them might be criminally based."
He said a breach was still a breach even if it didn't occur through hacking.