Australia, your privacy has been breached
THE sensitive health data of Australians is subject to a data breach every two days and the organisations and governments that fail to protect it are facing no financial penalties.
As outrage builds over Facebook's failure to protect privacy, a News Corp investigation has uncovered health data that shows if Australians have a sexually transmitted disease, mental illness, HIV or an abortion, even whether they've used a prostitute, is not properly protected.
A new mandatory notification scheme that requires businesses to report to the Office of the Australian Information Commissioner when there is a data breach shows in the first 37 days of the new regime a data breach occurred every two days in the health sector.
However, to date most of the companies involved in massive health data breaches have suffered no financial penalty and have simply signed undertakings to do better.
The OAIC won't even name the latest offenders under the mandatory notification scheme and says the seriousness of the offence, the number of people affected and the harm a data breach causes are key factors in any action it takes.
"One of the key objectives of the NDB scheme to ensure organisations notify individuals of a data breach involving their personal information, if it is likely to result in serious harm," a spokeswoman for the OAIC said.
There is provision for the OAIC to order compensation payments to victims which has occurred in at least one case and there is also a civil penalty for a serious or repeated interference with privacy of $420,000 for individuals and $2.1 million for body corporates but it's not been used.
Australians should be worried about these repeated breaches because health information could be used in child custody battles, life insurers may use it to increase premiums, it could potentially be used to bribe people.
IT security expert Troy Hunt was a victim of one of Australia's biggest health data breaches when the Red Cross accidentally exposed online the details of 550,000 of its blood donors.
He says the information could be used in identity theft, to hijack your mobile phone and demand ransom to unlock it, to send spam messages under your name to your friends asking for money.
Mr Hunt who runs the website haveibeenpwned.com that allows people to check if they have an account involved in a data breach says Australia's data breach penalties are among the weaker in the world.
Late next month in Europe penalties for data breaches will be set at four per cent of a company's gross annual turnover and "we absolutely need the same thing here," he says.
Even though Australian companies have not been fined for data breaches the cost of cleaning up the data breaches that have occurred cost organisations like the Red Cross millions, he said.
Privacy Foundation chief Bernard Robertson-Dunn sayspeople know they can get away with health data breaches.
"The law has to not just detect but has to be a deterrent and we are concerned the law is not being applied meaningfully," he said.
Professor Sandeep Gopalan from Deakin University says pressure has to be applied on those who collect and retain health data to invest in the strongest cyber security protections and there must also be a co-ordinated policy of refusing to make ransom payments.
A spokesperson for health Minister Greg Hunt said "the protection of patient information is critical and we have strong safeguards in place to protect health data in Australia".
"If anyone is found doing the wrong thing with patient information they will face severe penalties, including jail sentences," the spokesman said.
The Department of Health said it was working with the Information Commissioner after it released Medicare and pharmaceutical information that was re-identified in 2016.
"The Department is not aware of any individual or provider having been identified through this release of data. The Information Commissioner also did not find any person or provider that were identified through this release," the department said.
The breaches come as your sensitive health data is being gathered by more and more people.
Medical Director, the firm that provides software to 45 per cent of Australian GPs, is requiring doctors share the health data of all their patients as part of a software update it is rolling out at the moment.
"We've updated the latest software so we are getting everyone's data, de-identified if doctors choose to be involved," Medical Director's Andew Magennis told News Corp.
The Royal Australian College of General Practitioners is in the throes of setting up a firm that will gather patient data from every GP it wants to use for training and research purposes.
Later this year the federal government will give every Australian a digital My Health Record and it is currently working on a formal policy that will allow it to distribute the information to third parties.
New guidelines issued by the Pharmaceutical Society Australia and endorsed by the Australian Digital Health Agency show pharmacists will be able to view information on My Health Record without obtaining the consent of the individual.
The Australian Doigital health Agency says there are criminal penalties for unauthorised access to information in the My Health Record of up to two years in jail and up to $126,000 in fines. Civil penalties can incur up to $630,000 in fines.
"In the 2016/17 Annual OAIC Report, six incidents were reported by the Australian Digital Health Agency as the System Operator. In each instance the access has been limited to human error or to alleged fraudulent behaviour. No clinical incidents have resulted from these matters," a spokesman said.
And it's not just your health data that is being consolidated. The government has been drawing together Australian Taxation Office, human services, education and health data it holds on individuals through the multi-agency data integration project MADIP run by the ABS.