The full story...

SA Laboratory exposes hundreds of personal medical details

Nance Haxton reported this story on Monday, July 18, 2011 18:28:00

MARK COLVIN: A South Australian company is trying to limit the damage after a security breach which may have exposed the private medical details of hundreds of people.

The State Government is now investigating how the medical laboratory Medvet allowed personal details to be accessible online.

Google searches over the weekend unearthed the details of people who ordered paternity tests or were drug tested.

South Australia's Health Department says the private details have now been removed.

But experts say the lapse has the potential to open the company and the Government up to compensation claims.

Nance Haxton reports.

NANCE HAXTON: More than 800 people around the country have potentially had their personal details exposed by South Australian drug laboratory Medvet.

The company carries out medical tests - particularly paternity, DNA and drug tests - and is owned by the South Australian Health Department.

The department is now investigating how customers who placed online orders had their personal details revealed by Google internet searches.

Customers who placed online orders for the sensitive tests in the last year are susceptible to the breach.

SA Health CEO David Swan says they think a software glitch is to blame.

DAVID SWAN: In this instance it appears that there's been some issue that's been, that occurred with the software between Google and some software that was being used by the company to register requests for drug tests. And that has allowed some information to be available on the web.

We're very concerned about any information that's available that is of a private nature. And that's why we've requested the board of Medvet to undertake an independent investigation, both from a forensic IT perspective but also from the events that have led up to this. We want to make sure we get to the bottom of it.

NANCE HAXTON: IT expert David Raffen says it's more likely that the company's security was not tight enough.

DAVID RAFFEN: My policy is that if it's available to one person it's potentially available to many.

We put in a lot of controls and security to stop that from occurring. We put padlocks on our own house but people can pick the locks. They can break the door down.

So any information that's on an electronic media is available potentially to somebody else.

I think that in this instance it's been somebody that's either naive in what they've done. I don't think that people have deliberately gone out to have this information available.

But by publishing it, they've set it up that, not knowing that Google is out there searching all the time, potentially the information can be put back up onto the net.

NANCE HAXTON: The case has exposed a potential privacy hole for people who order medical tests online.

The privacy commissioner is also investigating.

Australian Privacy Foundation Health chair Juanita Fernando says this is the latest in a series of security lapses of sensitive personal details, and highlights the need for a privacy tort of law so people have a right to recourse.

JUANITA FERNANDO: It's a significant security breach in terms of numbers or volume, but it's not a significant security breach in terms of being in any way out of the ordinary.

NANCE HAXTON: So there's the potential that other companies could have similar information available online, do you think?

JUANITA FERNANDO: Oh there is. There has been in fact at least two- Well, one that hit the press which was a pathology instance - an instance of an electronic pathologist that published all patient information online, including I think it was demographics as well as test results.

And then there are instances that were reported to the Australian Privacy Foundation that don't actually make it to the press. One that I've been dealing with recently is a clinician who posted 22 discharge sheets on the web without realising that that was what they were doing.

And I think that that actually triggers another really, really important elephant in the room here, and that relates to training.

I think a lot of organisations concentrate on the technical aspects of their systems, and they don't concentrate or they don't look at the human factors aspects of their systems.

NANCE HAXTON: And does it also open up the possibility, do you think, of potential lodging compensation claims for this breach?

JUANITA FERNANDO: Look, I think that's inevitable. But my understanding is that yes, that there's been a significant level of demand for compensation.

NANCE HAXTON: So this really highlights the need for better legislation, you think?

JUANITA FERNANDO: Oh absolutely! There's absolutely no doubt about the need for better legislation. It is heinous, I think, that there is no legislation. We are talking about people here. We are not talking about machines.

People don't understand when they're working with information that a MetaCrawler is likely to collect that information and then publish it on the web. They think that all they've done is they've used the internet to upload a record at their workplace.

NANCE HAXTON: But in fact it's actually quite accessible?

JUANITA FERNANDO: Yes, that's right.

MARK COLVIN: Juanita Fernando from the Australian Privacy Foundation ending Nance Haxton's report.

From the Archives

PM Julia Gillard makes history by becoming the first female to hold the top job in Australia.

Gillard sworn in as PM after Rudd's sudden demise

» More
Recent Programs
FRIDAY
THURSDAY
WEDNESDAY
TUESDAY
MONDAY
Follow us...
Follow us on Facebook
Follow us on Twitter
Podcasts
Other News Websites