You are using an older browser version. Please use a supported version for the best MSN experience.

Answers needed over medical data release

AAP logoAAP 30/09/2016 Belinda Merhab

The federal government is under pressure to explain why it took three weeks to reveal it had accidentally made public the private health data of Australians.

The health department admitted on Thursday that de-identified medical data it released in August was able to be decoded.

The department was alerted to the breach on September 8 by Melbourne University researchers but kept it secret for three weeks.

Even health service providers whose information the researchers were able to decode have not directly been told of the breach.

A department spokeswoman has told AAP peak doctor and allied health organisations were briefed on Thursday about the potential of their members' details being released.

She defended the timing of the announcement saying "there have been many steps taken to develop a measured and comprehensive response".

The department told providers and the public after it established the level of risk involved.

The data was removed immediately but not before it had been downloaded 1500 times by various companies, including private health insurers.

Opposition health spokeswoman Catherine King says the government needs to explain why it kept the breach secret.

Health service providers whose data was compromised should have been contacted immediately.

"It seems extraordinary that the government has not been able to encrypt this data appropriately, has not understood that you can reverse engineer the data to then identify particular providers," Ms King told reporters in Perth on Friday.

"The fact that they have not thought that through frankly shows the government is barely able to run a bloody chook raffle at the moment let alone protect Australians' data privacy."

Health Minister Sussan Ley apologised to doctors for the breach when she addressed the Royal Australian College of General Practitioners annual conference on Thursday, slipping it into her speech as an example of how the government managed risks.

She insisted the government had acted swiftly to tighten privacy laws in response, with Attorney-General George Brandis rushing the day before to amend legislation making it illegal to re-identify de-identified government data without authorisation.

The government says the data was immediately removed from the internet and remained offline but Ms King says it's a case of shutting the door after the horse has bolted.

The health department says of the 1500 downloads, 500 were by academics and government while the remainder were from private firms including health insurance companies and consultancy firms.

It insists no information about patients or health service providers was identified.

"We are confident no names of service providers have been found or publicly released," the spokeswoman said.

The department was working with the researcher who alerted them to the breach "to understand the vulnerabilities and their implications".

The Privacy Commissioner is investigating the matter.

image beaconimage beaconimage beacon