Privacy Commissioner investigates data privacy breach: Health Department

Potential vulnerability within the Medicare and PBS datasets on government portal.

Comments

The Australian Privacy Commissioner, Timothy Pilgrim, has stepped in to investigate whether any personal information has been compromised in the wake of a potential data privacy breach within the Department of Health.

The speedy move to investigate comes in the wake of the health department’s removal of a reseach dataset from data.gov.au following an alert by Melbourne University researcher, Dr Vanessa Teague from the Department of Computing and Information, who was analysing the 10 per cent linked dataset and found it was possible to decrypt some service provider ID numbers.

“The Department of Health has notified me of a potential vulnerability within the Medicare Benefits Schedule and Pharmaceutical Benefits Scheme datasets, published on data.gov.au,” Pilgrim said in a statement.

“Based on the information provided, I have opened an investigation under section 40(2) of the Australian Privacy Act 1988. The primary purpose of the investigation is to assess whether any personal information has been compromised or is at risk of compromise, and to assess the adequacy of the Department of Health’s processes for de-identifying information for publication.”

Pilgrim said he welcomes the decision of the Department of Health to immediately suspend access to the data set, and the results of his investigation will be published at its conclusion.

At this stage, the Department of Health has temporarily removed datasets that were drawn from the Pharmaceutical Benefits and Medicare Benefits schemes and published on the government’s open data portal, data.gov.au.

It stresses, however, that the dataset does not include names or addresses of service providers and no patient information was identified.

“However, as a result of the potential to extract some doctor and other service provider ID numbers, the Department of Health immediately removed the dataset from the website to ensure the security and integrity of the data is maintained,” the department said.

“No patient information has been compromised, and no information about the health service providers has been publicly identified or released.”

The Department of Health said it is undertaking a full, independent audit of the process of compiling, reviewing and publishing this data and this dataset will only be restored when concerns about its potential vulnerabilities are resolved.