MARK COLVIN: A South Australian company is trying to limit the damage
after a security breach which may have exposed the private medical
details of hundreds of people.
The State Government is now investigating how the medical laboratory Medvet allowed personal details to be accessible online.
Google searches over the weekend unearthed the details of people who ordered paternity tests or were drug tested.
South Australia's Health Department says the private details have now been removed.
But experts say the lapse has the potential to open the company and the Government up to compensation claims.
Nance Haxton reports.
NANCE
HAXTON: More than 800 people around the country have potentially had
their personal details exposed by South Australian drug laboratory
Medvet.
The company carries out medical tests - particularly
paternity, DNA and drug tests - and is owned by the South Australian
Health Department.
The department is now investigating how
customers who placed online orders had their personal details revealed
by Google internet searches.
Customers who placed online orders for the sensitive tests in the last year are susceptible to the breach.
SA Health CEO David Swan says they think a software glitch is to blame.
DAVID
SWAN: In this instance it appears that there's been some issue that's
been, that occurred with the software between Google and some software
that was being used by the company to register requests for drug tests.
And that has allowed some information to be available on the web.
We're
very concerned about any information that's available that is of a
private nature. And that's why we've requested the board of Medvet to
undertake an independent investigation, both from a forensic IT
perspective but also from the events that have led up to this. We want
to make sure we get to the bottom of it.
NANCE HAXTON: IT expert David Raffen says it's more likely that the company's security was not tight enough.
DAVID RAFFEN: My policy is that if it's available to one person it's potentially available to many.
We
put in a lot of controls and security to stop that from occurring. We
put padlocks on our own house but people can pick the locks. They can
break the door down.
So any information that's on an electronic media is available potentially to somebody else.
I
think that in this instance it's been somebody that's either naive in
what they've done. I don't think that people have deliberately gone out
to have this information available.
But by publishing it,
they've set it up that, not knowing that Google is out there searching
all the time, potentially the information can be put back up onto the
net.
NANCE HAXTON: The case has exposed a potential privacy hole for people who order medical tests online.
The privacy commissioner is also investigating.
Australian
Privacy Foundation Health chair Juanita Fernando says this is the
latest in a series of security lapses of sensitive personal details,
and highlights the need for a privacy tort of law so people have a
right to recourse.
JUANITA FERNANDO: It's a significant security
breach in terms of numbers or volume, but it's not a significant
security breach in terms of being in any way out of the ordinary.
NANCE HAXTON: So there's the potential that other companies could have similar information available online, do you think?
JUANITA
FERNANDO: Oh there is. There has been in fact at least two- Well, one
that hit the press which was a pathology instance - an instance of an
electronic pathologist that published all patient information online,
including I think it was demographics as well as test results.
And
then there are instances that were reported to the Australian Privacy
Foundation that don't actually make it to the press. One that I've been
dealing with recently is a clinician who posted 22 discharge sheets on
the web without realising that that was what they were doing.
And
I think that that actually triggers another really, really important
elephant in the room here, and that relates to training.
I
think a lot of organisations concentrate on the technical aspects of
their systems, and they don't concentrate or they don't look at the
human factors aspects of their systems.
NANCE HAXTON: And does it also open up the possibility, do you think, of potential lodging compensation claims for this breach?
JUANITA
FERNANDO: Look, I think that's inevitable. But my understanding is that
yes, that there's been a significant level of demand for compensation.
NANCE HAXTON: So this really highlights the need for better legislation, you think?
JUANITA
FERNANDO: Oh absolutely! There's absolutely no doubt about the need for
better legislation. It is heinous, I think, that there is no
legislation. We are talking about people here. We are not talking about
machines.
People don't understand when they're working with
information that a MetaCrawler is likely to collect that information
and then publish it on the web. They think that all they've done is
they've used the internet to upload a record at their workplace.
NANCE HAXTON: But in fact it's actually quite accessible?
JUANITA FERNANDO: Yes, that's right.
MARK COLVIN: Juanita Fernando from the Australian Privacy Foundation ending Nance Haxton's report.
The full story...
SA Laboratory exposes hundreds of personal medical details
Nance Haxton reported this story on Monday, July 18, 2011 18:28:00