Showing posts with label data theft. Show all posts
Showing posts with label data theft. Show all posts

Wednesday, 28 August 2019

Do you know exactly who Medicare, your GP, specialist doctor or local area health service are sharing your personal medical information with?


Electronic Frontiers Australia, media release, 26 August 2019: 

Australia, Melbourne — Monday 26 August 2019 — EFA, Future Wise, Digital Rights Watch and APF today call again for a comprehensive review of privacy provisions for healthcare data. 

 Following the HealthEngine scandal in 2018, and the recent use of Pharmaceutical Benefits Scheme (PBS) data to assist recruitment into research on Bipolar disorder, a Twitter user on Friday 23 August shared a SMS message attempting to recruit him into a clinical trial. 

This appears to have occurred through the use of Precedence Healthcare’s InCa (Integrated Care) health platform. Research by members of digital rights organisations today revealed that sensitive patient details—including contact details, demographics and complete medical histories—can be shared with a wide range of partners, including, it appears, private health insurers. 

Dr Trent Yarwood, health spokesperson for Future Wise and a medical specialist, said “Secondary uses like this are a very ethically murky area. People don’t generally expect to have personal details from their healthcare providers made available to anyone, even if well intentioned.” 

The terms and conditions of the application include access to data from myHealthRecord. “While the My Health Records Act includes privacy provisions, once this data is accessed by an external system, these provisions no longer apply,” continued Dr Yarwood. “I’m very concerned that practices making use of this system are not aware of just how widely this data can be shared—and that they are expected to fully inform patients of the nature of the data use,” he concluded. 

“This kind of barely-controlled data sharing is only possible because of how little privacy protection is provided by the current legislation,” said Justin Warren, Electronic Frontiers Australia board member. 

“People have made it clear time and time again that information about their health is extremely personal, private, and they expect it to be kept secure, not shared with all and sundry,” he said. “What people think is happening is quite different to what actually is, and these companies are risking catastrophic damage to patient trust with their lust for data.” 

“If you found out your doctor was sharing your full medical history with private health insurers, or the police, would you keep seeing them?” he added. 

Robust privacy protections are needed for all Australians, such as by finally giving us the right to sue for breach of privacy, requiring explicit consent for each disclosure of medical or health data to a third party, and proper auditing of record-access that is visible to the patient. It is imperative that the risks of health data sharing receive greater attention. [my yellow highlighting]

Australian Health Information Technology, 25 August 2019: 

This Seems To Be A System Of Sharing Personal Health Information That Is Rather Out Of Control. 

I noticed this last week: How does Inca collect and share health information? 

Updated 1 month ago 

Precedence Health Care’s Integrated Care Platform (Inca) is a cloud- based network of digital health and wellness services, including MediTracker mobile application services. 

It is important that all users of Inca services understand how the network collects and shares health information (“personal information”) and are aware of their responsibilities for gaining informed consent from patients. 

To the extent applicable (if at all), the Health Privacy Principles (or equivalent), which operate in some jurisdictions, should guide your actions. In the absence of applicable Health Privacy Principles, you should refer to relevant Commonwealth, State or Territory privacy legislation, and assistance can also be derived by referring to the website of the Office of the Australian Information Commissioner. You should make sure you are familiar with the applicable principles or other relevant guidance, and also with Precedence Health Care’s Privacy Policy. 

Inca collects and shares personal information about patients and other persons under care (also called “consumers”) who consent to this information being stored and shared in the network. This information may come from a variety of sources, including the clinical software systems used by GPs (e.g., Medical Director, Best Practice); other members of the patient’s care team (e.g., allied health professionals, medical specialists); the patient themselves; participating health services and pathology services; and the Commonwealth’s My Health Record. 

Inca uses this information to provide a range of health care and wellness services to the patient and their care team. 

Prior to contributing a patient’s personal information to be stored in or used by Inca, users must obtain informed consent from patients for the collection and sharing of this information. Ensuring that patients are informed about what will happen with the information that is being shared is a fundamental component of best practice in privacy, so it is important that all Inca users and patients know what information is available on Inca and who has access to that information. 

When a patient’s GP or other person authorised by the GP uses Inca to collect personal information from their general practice clinical system, Inca will extract and share the following information: 

· Patient demographics 
· Alcohol consumption and smoking status 
· Allergies and adverse reactions 
· Family and social history 
· Observations and results 
· Current medications 
· Immunisation history 
· Current and past problems 

If the patient or the GP does not wish to share some of this information, the GP’s clinical system should provide a means for declaring such data “confidential” and thereby preventing it being sent to Inca. 

GPs who do not know how to do this should contact the provider of their clinical software. Inca may also collect and share information obtained from other sources. 

These include: 

· Information that the GP or any member of the care team or the patient themselves adds to the patient record or to any notes concerning the patient’s care using Inca services, web sites or mobile devices. This information may include contact information, measurements, care plans, assessments, referrals, progress notes, appointments, and other related personal and health information. 

· Information from participating Health Services, including discharge summaries and emergency department attendance. 

· Information obtained from My Health Record. This information may include some or all of the data stored in the patient’s My Health Record. 

It is the responsibility of the provider of information stored in or used by Inca, or the person who grants access to such information, to inform the patient of the type of personal information that is so provided or made accessible. 

Inca will provide access to a patient’s personal information with the patient’s GP and care team, the patient (or their carer as authorised by the patient), participating Health Services, and some others as necessary to provide the services of Inca. Precedence Health Care may share de-identified data (that is, data from which it is impossible to ascertain who you are) to persons or organisations who are engaged in research, trials and analyses relating to improvements in health and the management of health services. The way Inca shares and protects this information is described in the Precedence Health Care Privacy Policy. 

It is important that patients understand what information is being shared, who it is being shared with, and for what purpose. It is the responsibility of the persons providing this information to ensure that each patient is aware that their personal and health information is being stored on a computer system hosted on a secure site in Australia, as described in the Precedence Health Care Privacy Policy. 

It is also important for all users of Inca to be aware that this information may not be complete, up to date, or accurate. 

In seeking informed consent to participate, patients should be advised that any measurements or notes that they enter into Inca are not continuously monitored and will be available to members of the patient’s care team only when the provider next logs in to Inca. 

Patients who are concerned about any condition should contact their GP or other health care provider using their normal means (e.g., phone) and should not use Inca for this purpose. 

Please contact Precedence Health Care’s Privacy Officer on (03) 9023 0800 or email privacy@precedencehealthcare.com if you have any questions or concerns about our Privacy Policy, or if you wish to suggest improvements. You may also contact your State’s Privacy Commissioner or Ombudsman to get advice about privacy or make a complaint. 

Here is the link: https://phc.zendesk.com/hc/en-us/articles/360021090952-How-does-cdmNet-collect-and-share-health-information- 

For background Precedence Health run a shared patient data base which is accessible to GPs, Specialists and Allied Health Staff for the purpose of care planning and co-ordinating care. Using their system allows GPs to claim a Medicare Item No for this service. They also provide patient access to the data and have services such as reminders etc in an app. 

All that said this system, on its own statements, just sucks information from everywhere (GP systems, health services and the myHR) and pops it into one database. One user, who is now switching it off, revoking consent and getting out has described to me a collection of erroneous and mis-sorted data on their record. 

More they seem to be happy to hand out the data to others claiming it is de-identified – and we all know how in-effective that can be! 

The rather loose way consent rules for disclosure appear to be enforced is also a worry. 

They even have the legendary myHR disclaimer that “It is also important for all users of Inca to be aware that this information may not be complete, up to date, or accurate.” Doh! 

You can see the Privacy Policy here if you wish! https://phc.zendesk.com/hc/en-us/articles/360021091012-Privacy-Policy- 

Don’t know about you but none of my information would go anywhere near this if I could help it! It looks like a serious unthought through shambles to me. 

What do you think? 

David.  [my yellow highlighting]

Sunday, 11 August 2019

Alleged data theft by HealthEngine leaves hundreds of thousands of Australians vulnerable


Perhaps now is the time for readers to check who owns the company they might use to make medical appointment online.

ABC News, 8 August 2019: 

Australia's biggest medical appointment booking app HealthEngine is facing multi-million-dollar penalties after an ABC investigation exposed its practice of funnelling patient information to law firms. 

The Australian Competition and Consumer Commission has launched legal action against the Perth-based company in the Federal Court, accusing it of misleading and deceptive conduct. 

In June last year, the ABC revealed HealthEngine was passing on users' personal information to law firms seeking clients for personal injury claims. 

The details of the deal were contained in secret internal Slater and Gordon documents that revealed HealthEngine was sending the firm a daily list of prospective clients at part of a pilot program in 2017.



The ACCC has also accused the company of passing the personal information of approximately 135,000 patients to insurance brokers in exchange for payments.


"Patients were misled into thinking their information would stay with HealthEngine but, instead, their information was sold off to insurance brokers," ACCC chairman Rod Sims said in a statement.

The information sold included names, phone numbers, dates of birth and email addresses.

The ACCC has not said how much money the company earned form the arrangement.

The ABC revealed last year that HealthEngine had also boasted to advertisers that it could target users based on their symptoms and medical conditions. 

HealthEngine has also been accused of misleading consumers by manipulating users' reviews of medical practices. 

"We allege that HealthEngine refused to publish negative reviews and altered feedback to remove negative aspects, or to embellish it, before publishing the reviews," Mr Sims said. 

Among a range of examples, the ACCC alleges that one patient review was initially submitted as: "The practice is good just disappointed with health engine. I will call the clinic next time instead of booking online." 

But when that review was made public, it was allegedly changed to simply read: "The practice is good." 

HealthEngine is facing a fine of $1.1 million for each breach of the law, but the ACCC has yet to determine how many breaches it will allege....