My Health Record imaging services security failed ADHA password standards

My Health Record system’s physical and information security measures used to access the My Health Record system for pathology and diagnostic imaging services did not meet the ADHA’s recommended standard for passwords, according to assessments made by the Office of the Australian Information Commissioner’s (OAIC). 

“In relation to physical and information security measures, while most assessment targets reported good physical security measures, most did not meet the ADHA’s recommended standard for passwords used to access the My Health Record system,” the OAIC said.

Detailed in the OAIC’s annual digital health report [PDF], the agency did note, however, that most of My Health Record’s assessment targets reported having a procedure in place for identifying and responding to My Health Record-related security and privacy risks even though there were areas for improvement in relation to recording matters relevant to security breaches.

During the 2020-21 financial year, three data breach notifications were submitted to the OAIC in relation to My Health Record. Two of the three have been finalised.

In the agency’s annual report, which was also released this week, it said 975 data breaches were reported in Australia during the 2020-21 financial year. This was 7% less compared to the previous financial year, with the OAIC saying that 80% of the data breaches reported under its Notifiable Data Breaches (NDB) scheme were finalised within 60 days.

The average time taken to finalise a data breach notification was 62 days, down from 76 days in 2019–20, according to the annual report [PDF]. Two months ago, the agency revealed that malicious or criminal attacks were the largest source of data breaches notified to the OAIC, accounting for 289 breaches, followed by human error which accounted for 134 notifications.

“As the [NDB] matures, we see clear trends: Malicious or criminal attacks are the leading source of data breaches, followed by human error,” the OAIC reiterated in the annual report.

During the financial year, the OAIC also received 2,474 privacy complaints, which was similarly 7% less than the 2019-20 financial year. 2,151 of these privacy complaints have been finalised and were done so, on average, in 4.4 months.

The finance sector submitted the most privacy complaints this past year, with 327. This was followed by the Australian government with 310, health service providers with 301, while retail and online services rounded out the top five sectors by submitting 177 and 152 privacy complaints, respectively.

According to the OAIC, the majority of privacy complaints received by the OAIC were about the handling of personal information under the Australian Privacy Principles (APP). The most common issues raised were regarding use or disclosure of personal information, accounting for 29%, security of personal information with 28%, while 18% of complaints were about access to personal information.

The agency also handled 11,647 privacy enquiries and 1,824 freedom of information (FOI) enquiries in 2020-21. While this was 20% less for both types of enquiries compared to the previous year, the agency received almost 40% more FOI complaints, with organisations submitting 151 FOI complaints.

The OAIC added that it finalised 174 FOI complaints, with some of that figure being complaints raised from the 2019-20 financial year.

It also received 1,224 applications for Information Commissioner (IC) reviews of FOI decisions. It said almost three-quarters of the IC reviews were completed within 12 months, which was around the same rate as last year. The Department of Home Affairs underwent the most IC reviews, being involved in 436. This was more than the combined total of 253 from the next four agencies, which were Services Australia, Australian Federal Police, Department of Health, and the Department of Foreign Affairs and Trade.

In 2020–21, the OAIC also issued 17 determinations in relation to complaints alleging breaches of the APP. This was the most determinations the OAIC has made in a year, it said. Among them was a finding last week that 7-Eleven collected customers’ biometric data without consent and Home Affairs “mistakenly” releasing the personal information of 9,251 asylum seekers.

As of 30 June 2021, the OAIC has just over 120 full-time staff.  Beyond its staff, the OAIC spent over AU$970,000 on consultancy contracts and around AU$455,000 on non-consultancy contracts. Of those contracts, PricewaterhouseCoopers was paid over AU$660,000 and Cypha Interactive was paid AU$200,000.

Related Coverage

• 14 COVIDSafe enquiries to OAIC, but still no complaints or breaches
• 7-Eleven breached customer privacy by collecting facial imagery without consent
• Updated CDR rules to allow accredited participants to appoint representatives
  
  
• 446 Australian breach notifications with 30% of system faults found after a year