Alleged data theft by HealthEngine leaves hundreds of thousands of Australians vulnerable

Perhaps now is the time for readers to check who owns the company they might use to make medical appointment online.

ABC News, 8 August 2019: 

Australia's biggest medical appointment booking app HealthEngine is facing multi-million-dollar penalties after an ABC investigation exposed its practice of funnelling patient information to law firms. 

The Australian Competition and Consumer Commission has launched legal action against the Perth-based company in the Federal Court, accusing it of misleading and deceptive conduct. 

In June last year, the ABC revealed HealthEngine was passing on users' personal information to law firms seeking clients for personal injury claims. 

The details of the deal were contained in secret internal Slater and Gordon documents that revealed HealthEngine was sending the firm a daily list of prospective clients at part of a pilot program in 2017.

PHOTO: A negative review on HealthEngine's app page complaining about contact from personal injury lawyers. (Supplied: Apple App Store) 

The ACCC has also accused the company of passing the personal information of approximately 135,000 patients to insurance brokers in exchange for payments.

"Patients were misled into thinking their information would stay with HealthEngine but, instead, their information was sold off to insurance brokers," ACCC chairman Rod Sims said in a statement.

The information sold included names, phone numbers, dates of birth and email addresses.

The ACCC has not said how much money the company earned form the arrangement.

The ABC revealed last year that HealthEngine had also boasted to advertisers that it could target users based on their symptoms and medical conditions. 

HealthEngine has also been accused of misleading consumers by manipulating users' reviews of medical practices. 

"We allege that HealthEngine refused to publish negative reviews and altered feedback to remove negative aspects, or to embellish it, before publishing the reviews," Mr Sims said. 

Among a range of examples, the ACCC alleges that one patient review was initially submitted as: "The practice is good just disappointed with health engine. I will call the clinic next time instead of booking online." 

But when that review was made public, it was allegedly changed to simply read: "The practice is good." 

HealthEngine is facing a fine of $1.1 million for each breach of the law, but the ACCC has yet to determine how many breaches it will allege....

The Abbott-Turnbull-Morrison Federal Government still hasn't made personal health data secure

Since about 2014 it has been known that the personal details of Medicare cardholders has been for sale on the dark web.

Despite an April 2014 report by the Australian National Audit Office that the Consumer Directory - which contains all Medicare customer records - was not secure and that cardholder details were for sale, the federal Liberal-Nationals Coalition Government does not appear to have comprehensively acted act on the issue of database security.

It was not unknown that Medicare cardholder details were being used fraudulently.

In 2016-17 Twenty notifications, involving 123 separate breaches, resulted from findings under the Medicare compliance program. In these instances, certain Medicare claims made in the name of a healthcare recipient but not by that healthcare recipient were uploaded to their My Health Record.

When contacted by the mainstream media in July 2017 the Liberal MP for Aston and then Minister for Human Services Alan Tudge denied any prior knowledge of cardholder details being offered for sale.

It was not reported that at the time if he was asked about instances of Medicare cardholder details being used to commit fraud or identity theft.

In August 2017 eHealth Privacy Australia was telling the Senate Finance and Public Administration Committee that:

• There are fundamental weaknesses in both the HPOS (Medicare card data) and My Health Records systems, which make them vulnerable to illegal access.

• Those weaknesses mean that fraudulent users of the systems can assume the identity of legitimate users to gain illegal access.

• It is not sufficient to mitigate these weaknesses in the My Health Records system.

By 1 January 2019 IT News was reporting that Medicare cardholder details fraudulently obtained had been used to access an individual’s My Health Record:

The number of data breaches involving the My Health Record system rose from 35 to 42 in the past financial year, new figures show.

The Australian Digital Health Agency (ADHA) said in its annual report [pdf] that “42 data breaches (in 28 notifications) were reported to the Office of the Australian Information Commissioner” in 2017-18.

As with previous years, the agency said that “no purposeful or malicious attacks compromising the integrity or security of the My Health Record system” were reported in the period.

Of the 42 breaches, one was the result of “unauthorised access to a My Health Record as a result of an incorrect Parental Authorised Representative being assigned to a child”, the agency reported.

A further two breaches were from “suspected fraud against the Medicare program where the incorrect records appearing in the My Health Record of the affected individual were also viewed without authority by the individual undertaking the suspected fraudulent activity”, ADHA said.

In addition, 17 breaches were the result of “data integrity activity initiated by the Department of Human Services to identify intertwined Medicare records (that is, where a single Medicare record has been used interchangeably between two or more individuals)”, the agency said. [my yellow highlighting]

Despite this knowledge the Abbott-Turnbull-Morrison Government has still not grasped the nettle, because on 16 May 2019 The Guardian reported:

Australians’ Medicare details are still being illegally offered for sale on the darknet, almost two years after Guardian Australia revealed the serious privacy breach.

Screenshots of the Empire Market, provided to Guardian Australia, show the vendor Medicare Machine has rebranded as Medicare Madness, offering Medicare details for $US21.

Other vendors charge up to $US340 by offering fake Medicare cards alongside other fake forms of identification – such as a New South Wales licence.

The Medicare Madness listing suggests the Medicare details “of any living Australian citizen” have been available since September 2018.

Guardian Australia first reported patient details were on sale in July 2017, verifying the listing by requesting the data of a Guardian staff member and warning that Medicare card numbers could be used for identity theft and fraud.

The revelation prompted a review lead by former secretary of the Department of Prime Minister and Cabinet Peter Shergold.

The report did not identify the source of the Medicare data leak but suggested that people could use publicly available information about healthcare providers – including their provider number and practice location – to pass security checks and obtain a Medicare card number through the Department of Human Services provider hotline.

The review panel warned the “current security check for release of Medicare card information provides a much lower level of confidence than the security requirements” for Health Professional Online Services, the portal that allows providers to make rebate claims.

An IT industry source, who refused to be named, said the re-emergence of the data breach brings into question government assurances around the privacy of medical data “when those responsible cannot even manage the security of Medicare cards”.

The source said there is a “concerted effort at the moment by law enforcement to curtail darknet market activity”.

“In reality the darknet markets, while disrupted momentarily when their sites are brought down, easily relocate and continue business.”

Darknet markets can simply private message existing clients with a new link to resume business elsewhere. [my yellow highlighting]

Thus far the federal government has failed to recognise where Medicare cardholder details may be being accessed unlawfully, as this 2 August 2018 ABC online article indicates:

Privacy experts have warned that the system opens up health records to more people than ever before, thereby increasing the threat surface — the number of vulnerabilities in a system — dramatically.

Dr Bernard Robertson Dunn, who chairs the health committee at the foundation, says once the data is downloaded into the health system, the My Health record system cannot guarantee privacy.

"Once the data has been downloaded to, for instance, a hospital system, the protections of the hospital system apply, and then the audit logs apply to the hospital system — not to My Health record.

"So there is no way the Government would know who has accessed that data, and it is untraceable and untrackable that that access has occurred."

Dozens of Centrelink clients have had their names published on Facebook by a Commonwealth-funded work-for-the-dole provider

ABC News, 26 April 2019:

Dozens of Centrelink clients have had their names published online in what has been described as a "shocking" abuse of privacy.

A Commonwealth-funded work-for-the-dole provider uploaded lists of people who were required to attend client meetings to a public Facebook page.

"We are at a loss as to why anyone would post about workers' appointments online," union official Lara Watson said.

"We were shocked at the publication of names on a social media platform."

The incidents are the latest to emerge from the Government's flagship remote employment scheme, the Community Development Programme (CDP).

Nearly 50 people from the Northern Territory community of Galiwinku, located 500 kilometres east of Darwin, were affected.

The job service provider, the Arnhem Land Progress Association (ALPA), established the social media page apparently with the intention of uploading such lists.

"Welcome to our Facebook page where we will be posting appointments, courses and CDP information," it wrote last month.

The two sheets of names were posted to the Galiwinku CDP page on March 11 and 12.

Both images were shared to another local Facebook group titled Elcho Island Notice Board, which has more than 2,000 members.

One CDP insider denounced the online uploads, saying they were unprecedented and could have placed job seekers at risk.

"If a person has a family violence order in place to protect them, then perhaps the perpetrator would know where she was," said the source, who requested anonymity.

"It advertised that a person is accessing welfare services, and unfortunately in Australia there's discrimination against people accessing welfare services.

"People can be bullied for being unemployed."

The Galiwinku CDP page appears to have since been removed from the internet but the organisation denied any wrongdoing.

"We do not believe that this is a breach of confidentiality," an ALPA spokeswoman said.....

"All ALPA CDP participants give … media consent when they commence as a participant."......

Facebook spends more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy – but refuses constructive action

“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions. Facebook should not get to decide what Canadian privacy law does or does not require.” [Canandian Privacy Commissioner  Daniel Therrien, 25 April 2019]

Facbook Inc. professes that it  has taken steps to ensure the intregrity of political discourse on its platform, but rather tellingly will not roll out transparency features in Australia that it has already rolled out in the US, UK, Eu, India, Israel and Ukraine.

The only measure it commits to taking during this federal election campaign is to temporarily ban people outside Australiabuying ads that Facebook determines are “political”.

To date it has not been prepared to move on dishonest actors in Australia who are active on its platform during the election campaign.

So it should come as no surprise that Canada issued this three page news release…….

Office of the Privacy Commission of Canada, news release, 25 April 2019:

Facebook refuses to address serious privacy deficiencies despite public apologies for “breach of trust”

Joint investigation finds major shortcomings in the social media giant’s privacy practices, highlighting pressing need for legislative reform to adequately protect the rights of Canadians

OTTAWA, April 25, 2019 – Facebook committed serious contraventions of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians, an investigation has found.

Despite its public acknowledgement of a “major breach of trust” in the Cambridge Analytica scandal, Facebook disputes the investigation findings of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia. The company also refuses to implement recommendations to address deficiencies.

“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” says Privacy Commissioner of Canada Daniel Therrien. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.

“The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified – or even acknowledge that it broke the law – is extremely concerning.”

“Facebook has spent more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy,” B.C. Information and Privacy Commissioner Michael McEvoy says, “but when it comes to taking concrete actions needed to fix transgressions they demonstrate disregard.”

Commissioner McEvoy says Facebook’s actions point to the need for giving provincial and federal privacy regulators stronger sanctioning power in order to protect the public’s interests. “The ability to levy meaningful fines would be an important starting point,” he says.

The findings and Facebook’s rejection of the report’s recommendations highlight critical weaknesses within the current Canadian privacy protection framework and underscore an urgent need for stronger privacy laws, according to both Commissioners.

“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions,” says Commissioner Therrien.

In addition to the power to levy financial penalties on companies, both Commissioners say they should also be given broader authority to inspect the practices of organizations to independently confirm privacy laws are being respected. This measure would be in alignment with the powers that exist in the U.K. and several other countries.

Giving the federal Commissioner order-making powers would also ensure that his findings and remedial measures are binding on organizations that refuse to comply with the law. 

The complaint that initiated the investigation followed media reports that Facebook had allowed an organization to use an app to access users’ personal information and that some of the data was then shared with other organizations, including Cambridge Analytica, which was involved in U.S. political campaigns.

The app, at one point called “This is Your Digital Life,” encouraged users to complete a personality quiz. It collected information about users who installed the app as well as their Facebook “friends.” Some 300,000 Facebook users worldwide added the app, leading to the potential disclosure of the personal information of approximately 87 million others, including more than 600,000 Canadians.

The investigation revealed Facebook violated federal and B.C. privacy laws in a number of respects. The specific deficiencies include:

Unauthorized access

Facebook’s superficial and ineffective safeguards and consent mechanisms resulted in a third-party app’s unauthorized access to the information of millions of Facebook users. Some of that information was subsequently used for political purposes.

Lack of meaningful consent from “friends of friends”

Facebook failed to obtain meaningful consent from both the users who installed the app as well as those users’ “friends,” whose personal information Facebook also disclosed.

No proper oversight over privacy practices of apps

Facebook did not exercise proper oversight with respect to the privacy practices of apps on its platform.  It relied on contractual terms with apps to protect against unauthorized access to user information; however, its approach to monitoring compliance with those terms was wholly inadequate.

Overall lack of responsibility for personal information

A basic principle of privacy laws is that organizations are responsible for the personal information under their control. Instead, Facebook attempted to shift responsibility for protecting personal information to the apps on its platform, as well as to users themselves.

The failures identified in the investigation are particularly concerning given that a 2009 investigation of Facebook by the federal Commissioner’s office also found contraventions with respect to seeking overly broad, uninformed consent for disclosures of personal information to third-party apps, as well as inadequate monitoring to protect against unauthorized access by those apps.

If Facebook had implemented the 2009 investigation’s recommendations meaningfully, the risk of unauthorized access and use of Canadians’ personal information by third party apps could have been avoided or significantly mitigated.

Facebook’s refusal to accept the Commissioners’ recommendations means there is a high risk that the personal information of Canadians could be used in ways that they do not know or suspect, exposing them to potential harms.

Given the extent and severity of the issues identified, the Commissioners sought to implement measures to ensure the company respects its accountability and other privacy obligations in the future. However, Facebook refused to voluntarily submit to audits of its privacy policies and practices over the next five years.

The Office of the Privacy Commissioner of Canada plans to take the matter to Federal Court to seek an order to force the company to correct its privacy practices.

The Office of the Information and Privacy Commissioner for B.C. reserves its right under the Personal Information Protection Act to consider future actions against Facebook.  

Related documents:

Report of Findings

Chart: Facebook findings highlight the need for legislative reform

Remarks by the Privacy Commissioner of Canada regarding the Facebook/Cambridge-Analytica investigation

* Note: my yellow highlighting

Nor should this alleged 'mistake' made by Facebook cause surprise.......

The New York Times, 25 April 2019:

SAN FRANCISCO — The New York State attorney general’s office plans to open an investigation into Facebook’s unauthorized collection of more than 1.5 million users’ email address books, according to two people briefed on the matter.

The inquiry concerns a practice unearthed in April in which Facebook harvested the email contact lists of a portion of new users who signed up for the network after 2016, according to the two people, who spoke on condition of anonymity because the inquiry had not been officially announced.

Those lists were then used to improve Facebook’s ad-targeting algorithms and other friend connections across the network.

The investigation was confirmed late Thursday afternoon by the attorney general’s office.

“Facebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data,” said Letitia James, the attorney general of New York, in a statement. “It is time Facebook is held accountable for how it handles consumers’ personal information.”…

Users were not notified that their contact lists were being harvested at the time. Facebook shuttered the contact list collection mechanism shortly after the issue was discovered by the press…..

Facebook Inc's rapacious business practices has been the death of online privacy and now threatens the democratic process.

Yet another Australian health data base compromised

The Age, 20 February 2019:

A cyber crime syndicate has hacked and scrambled the medical files of about 15,000 patients from a specialist cardiology unit at Cabrini Hospital and demanded a ransom.

The attack is now the subject of a joint investigation by Commonwealth security agencies.

Melbourne Heart Group, which is based at the private hospital in Malvern, has been unable to access some patient files for more than three weeks, after the malware attack crippled its server and corrupted data.

The malware used to penetrate the unit's security network is believed to be from North Korea or Russia, while the origin of the criminals behind the attack has not been revealed.

The online gang responsible for the data breach demanded a ransom be paid in cryptocurrency before a password would be provided to break the encryption.

The Age understands that a payment was made, but some of the scrambled files have not been recovered, among them patients' personal details and sensitive medical records that could be used for identity theft.

Some patients were told that their files had been lost but were not given any explanation. Others have turned up for appointments for which the hospital had no record.

The Australian Cyber Security Centre, which is part of the Australian Signals Directorate – the government agency responsible for Australia's cyber warfare and information security – said it was assisting the hospital with cyber security advice.

The Australian Federal Police has also been briefed.

A Melbourne Heart Group spokeswoman said it was working with government agencies to resolve the issue.

Facebook Inc still getting caught out spreading fake news and breaching users' privacy

The Guardian, 13 December 2018:

Journalists working as factcheckers for Facebook have pushed to end a controversial media partnership with the social network, saying the company has ignored their concerns and failed to use their expertise to combat misinformation.

Current and former Facebook factcheckers told the Guardian that the tech platform’s collaboration with outside reporters has produced minimal results and that they’ve lost trust in Facebook, which has repeatedly refused to release meaningful data about the impacts of their work. Some said Facebook’s hiring of a PR firm that used an antisemitic narrative to discredit critics – fueling the same kind of propaganda factcheckers regularly debunk – should be a deal-breaker.

“They’ve essentially used us for crisis PR,” said Brooke Binkowski, former managing editor of Snopes, a factchecking site that has partnered with Facebook for two years. “They’re not taking anything seriously. They are more interested in making themselves look good and passing the buck … They clearly don’t care.”….

“Why should we trust Facebook when it’s pushing the same rumors that its own factcheckers are calling fake news?” said a current Facebook factchecker who was not authorized to speak publicly about their news outlet’s partnership….

 “Working with Facebook makes us look bad,” added the journalist, who has advocated for an end to the partnership…..

ABC News, 15 December 2018:

Facebook said a bug had exposed private photos of up to 6.8 million users, the latest in a string of glitches that have caused regulators around the world to investigate the social media giant's privacy practices.

The bug allowed some 1,500 applications to access private photos for 12 days ending September 25, Facebook said.

"We're sorry this happened," it said in a blog targeted at developers who build apps for its platform.

Facebook said the bug was now fixed.

The problem is the latest in a string of security and privacy issues that have caused complaints from users and led to investigations by regulators and politicians.

The issues include the massive Cambridge Analytica scandal and a security breach that affected nearly 30 million users.

The company said it would send an alert through Facebook to notify users whose photos may have been exposed by the latest issue.

The alert will direct them to a link where they will be able to see if they have used any apps that the bug allowed to access private photos.

Facebook shares fell 1.2 per cent early trading, compared to a 0.9 per cent decline in the Nasdaq composite index......

Clifton Gardens-Mosman residents, you have a data breach......

looks like apple got access to a bunch of Australian business regos and just dumped them into maps without validation. Now everyone’s ‘retirement trusts’ (SMSFs) are showing up... pic.twitter.com/2etZKaTYMA

— Maxwell Swadling (@mxswd) July 21, 2018

I spy with my little eye a former "young broker of the year", a number of Self-Managed Superannuation Funds and a slew of private corporations whose registered addresses are not so private anymore.

"Bad actor" Facebook Inc given £500,000 maximum fine - any future breach may cost up to £1.4bn

The Guardian, 11 July 20018:

Facebook is to be fined £500,000, the maximum amount possible, for its part in the Cambridge Analytica scandal, the information commissioner has announced.

The fine is for two breaches of the Data Protection Act. The Information Commissioner’s Office (ICO) concluded that Facebook failed to safeguard its users’ information and that it failed to be transparent about how that data was harvested by others.

 “Facebook has failed to provide the kind of protections they are required to under the Data Protection Act,” said Elizabeth Denham, the information commissioner. “Fines and prosecutions punish the bad actors, but my real goal is to effect change and restore trust and confidence in our democratic system.”

In the first quarter of 2018, Facebook took £500,000 in revenue every five and a half minutes. Because of the timing of the breaches, the ICO said it was unable to levy the penalties introduced by the European General Data Protection (GDPR), which caps fines at the higher level of €20m (£17m) or 4% of global turnover – in Facebook’s case, $1.9bn (£1.4bn). The £500,000 cap was set by the Data Protection Act 1998.

As one of the IT whistleblowers described the situation...

Just to sum up. 1) Facebook broke the law. 2) Cambridge Analytica broke the law. 3) Vote Leave broke the law. 4) LeaveEU broke the law. 5) Brexit and Trump were both won through breaking the law. 6) Facebook let it all happen and covered it up. https://t.co/CAOrP5rKry

— Christopher Wylie 🏳️🌈 (@chrisinsilico) July 11, 2018

Oi! Malcolm Bligh Turnbull and every dumb-witted member of his federal government as well as every premier and member of a state or territory government – when are you all going to wake up to the fact that digital is bloody dangerous?

For literally hundreds of years now, first in colonial, then in dominion and later in federation periods, Australia has relied on a 'paper and ink' processes to decide major political votes by its eligible citizens.

By and large this system has produced reliable results with regards to the people's will.

However, in the 21st Century government's blind infatuation with digital 'innovation' is now dangerously out-of-control.

This is evidence of just the latest red flag that Australian governments have ignored ……

The Mercury online, 30 June 2018:

The personal information of about 4000 Tasmanian voters has been leaked after a data breach on a third-party website linked to express votes, the state’s Electoral Commission has revealed.

Tasmanian Electoral Commissioner Andrew Hawkey said hackers had access to the names, dates of birth, emails and postal addresses of those who applied for an express vote at the recent state and Legislative Council elections.

“Early today, the Tasmanian Electoral Commission was informed by the Barcelona-based company Typeform, that an unknown third party had gained access to one of their servers and downloaded certain information,” he said.

“Typeform online forms have been used on the TEC website since 2015 for some of its election services. The breach involved an unknown attacker downloading a backup file.

“Typeform’s full investigation of the breach identified that data collected through five forms on the TEC website had been stolen.”

MORE: STATEMENT BY TYPEFORM

The breach was identified by Typeform on June 27 and shut down within half an hour of detection, Mr Hawkey said.

“The Electoral Commission will be contacting electors that used these services in the coming days to inform them of the breach,” Mr Hawkey said.

“The Electoral Commission apologises for the breach and will re-evaluate its collection procedures and internal security elements around its storage of electoral information for future events. The breach has no connection to the national or state electoral roll.”

Mr Hawkey said some of the stolen information had previously been made public, such as candidate statements for local government by-elections.

Typeform said it had responded immediately and had fixed the source of the breach to prevent further hacks.

“We have since been performing a full forensic investigation of the incident to be certain that this cannot happen again,” a statement on the Typeform website read.

“The results that were accessed are from a partial backup dated May 3, 2018. Results collected since May 3 are therefore safe and not compromised.’

Typeform reportedly provides services for some pretty big names, including Apple, Uber, Airbnb and Forbes.

The hack comes after up to 120,000 Tasmanian job seekers may have had their personal information compromised following a data breach reported by human resources company PageUp in early June.

That site was linked to the Tasmanian Government and the University of Tasmania.

The State Government is still waiting for a further response from PageUp but it is believed the breach was limited to names, addresses, emails and phone numbers.