Showing posts with label information technology. Show all posts
Showing posts with label information technology. Show all posts

Sunday, 11 August 2019

Alleged data theft by HealthEngine leaves hundreds of thousands of Australians vulnerable


Perhaps now is the time for readers to check who owns the company they might use to make medical appointment online.

ABC News, 8 August 2019: 

Australia's biggest medical appointment booking app HealthEngine is facing multi-million-dollar penalties after an ABC investigation exposed its practice of funnelling patient information to law firms. 

The Australian Competition and Consumer Commission has launched legal action against the Perth-based company in the Federal Court, accusing it of misleading and deceptive conduct. 

In June last year, the ABC revealed HealthEngine was passing on users' personal information to law firms seeking clients for personal injury claims. 

The details of the deal were contained in secret internal Slater and Gordon documents that revealed HealthEngine was sending the firm a daily list of prospective clients at part of a pilot program in 2017.



The ACCC has also accused the company of passing the personal information of approximately 135,000 patients to insurance brokers in exchange for payments.


"Patients were misled into thinking their information would stay with HealthEngine but, instead, their information was sold off to insurance brokers," ACCC chairman Rod Sims said in a statement.

The information sold included names, phone numbers, dates of birth and email addresses.

The ACCC has not said how much money the company earned form the arrangement.

The ABC revealed last year that HealthEngine had also boasted to advertisers that it could target users based on their symptoms and medical conditions. 

HealthEngine has also been accused of misleading consumers by manipulating users' reviews of medical practices. 

"We allege that HealthEngine refused to publish negative reviews and altered feedback to remove negative aspects, or to embellish it, before publishing the reviews," Mr Sims said. 

Among a range of examples, the ACCC alleges that one patient review was initially submitted as: "The practice is good just disappointed with health engine. I will call the clinic next time instead of booking online." 

But when that review was made public, it was allegedly changed to simply read: "The practice is good." 

HealthEngine is facing a fine of $1.1 million for each breach of the law, but the ACCC has yet to determine how many breaches it will allege....

Wednesday, 22 May 2019

The Abbott-Turnbull-Morrison Federal Government still hasn't made personal health data secure


Since about 2014 it has been known that the personal details of Medicare cardholders has been for sale on the dark web.

Despite an April 2014 report by the Australian National Audit Office that the Consumer Directory - which contains all Medicare customer records - was not secure and that cardholder details were for sale, the federal Liberal-Nationals Coalition Government does not appear to have comprehensively acted act on the issue of database security.

It was not unknown that Medicare cardholder details were being used fraudulently.


When contacted by the mainstream media in July 2017 the Liberal MP for Aston and then Minister for Human Services Alan Tudge denied any prior knowledge of cardholder details being offered for sale.

It was not reported that at the time if he was asked about instances of Medicare cardholder details being used to commit fraud or identity theft.

In August 2017 eHealth Privacy Australia was telling the Senate Finance and Public Administration Committee that:

• There are fundamental weaknesses in both the HPOS (Medicare card data) and My Health Records systems, which make them vulnerable to illegal access.

• Those weaknesses mean that fraudulent users of the systems can assume the identity of legitimate users to gain illegal access.

• It is not sufficient to mitigate these weaknesses in the My Health Records system.

By 1 January 2019 IT News was reporting that Medicare cardholder details fraudulently obtained had been used to access an individual’s My Health Record:

The number of data breaches involving the My Health Record system rose from 35 to 42 in the past financial year, new figures show.

The Australian Digital Health Agency (ADHA) said in its annual report [pdf] that “42 data breaches (in 28 notifications) were reported to the Office of the Australian Information Commissioner” in 2017-18.

As with previous years, the agency said that “no purposeful or malicious attacks compromising the integrity or security of the My Health Record system” were reported in the period.

Of the 42 breaches, one was the result of “unauthorised access to a My Health Record as a result of an incorrect Parental Authorised Representative being assigned to a child”, the agency reported.

A further two breaches were from “suspected fraud against the Medicare program where the incorrect records appearing in the My Health Record of the affected individual were also viewed without authority by the individual undertaking the suspected fraudulent activity”, ADHA said.

In addition, 17 breaches were the result of “data integrity activity initiated by the Department of Human Services to identify intertwined Medicare records (that is, where a single Medicare record has been used interchangeably between two or more individuals)”, the agency said. [my yellow highlighting]

Despite this knowledge the Abbott-Turnbull-Morrison Government has still not grasped the nettle, because on 16 May 2019 The Guardian reported:

Australians’ Medicare details are still being illegally offered for sale on the darknet, almost two years after Guardian Australia revealed the serious privacy breach.

Screenshots of the Empire Market, provided to Guardian Australia, show the vendor Medicare Machine has rebranded as Medicare Madness, offering Medicare details for $US21.

Other vendors charge up to $US340 by offering fake Medicare cards alongside other fake forms of identification – such as a New South Wales licence.

The Medicare Madness listing suggests the Medicare details “of any living Australian citizen” have been available since September 2018.

Guardian Australia first reported patient details were on sale in July 2017, verifying the listing by requesting the data of a Guardian staff member and warning that Medicare card numbers could be used for identity theft and fraud.


The report did not identify the source of the Medicare data leak but suggested that people could use publicly available information about healthcare providers – including their provider number and practice location – to pass security checks and obtain a Medicare card number through the Department of Human Services provider hotline.

The review panel warned the “current security check for release of Medicare card information provides a much lower level of confidence than the security requirements” for Health Professional Online Services, the portal that allows providers to make rebate claims.

An IT industry source, who refused to be named, said the re-emergence of the data breach brings into question government assurances around the privacy of medical data “when those responsible cannot even manage the security of Medicare cards”.

The source said there is a “concerted effort at the moment by law enforcement to curtail darknet market activity”.

“In reality the darknet markets, while disrupted momentarily when their sites are brought down, easily relocate and continue business.”

Darknet markets can simply private message existing clients with a new link to resume business elsewhere. [my yellow highlighting]

Thus far the federal government has failed to recognise where Medicare cardholder details may be being accessed unlawfully, as this 2 August 2018 ABC online article indicates:

Privacy experts have warned that the system opens up health records to more people than ever before, thereby increasing the threat surface — the number of vulnerabilities in a system — dramatically.

Dr Bernard Robertson Dunn, who chairs the health committee at the foundation, says once the data is downloaded into the health system, the My Health record system cannot guarantee privacy.

"Once the data has been downloaded to, for instance, a hospital system, the protections of the hospital system apply, and then the audit logs apply to the hospital system — not to My Health record.

"So there is no way the Government would know who has accessed that data, and it is untraceable and untrackable that that access has occurred."

Wednesday, 1 May 2019

Facebook spends more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy – but refuses constructive action



“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions. Facebook should not get to decide what Canadian privacy law does or does not require.[Canandian Privacy Commissioner  Daniel Therrien, 25 April 2019]

Facbook Inc. professes that it  has taken steps to ensure the intregrity of political discourse on its platform, but rather tellingly will not roll out transparency features in Australia that it has already rolled out in the US, UK, Eu, India, Israel and Ukraine.

The only measure it commits to taking during this federal election campaign is to temporarily ban people outside Australiabuying ads that Facebook determines are “political”.


So it should come as no surprise that Canada issued this three page news release…….

Office of the Privacy Commission of Canada, news release, 25 April 2019:

Facebook refuses to address serious privacy deficiencies despite public apologies for “breach of trust”

Joint investigation finds major shortcomings in the social media giant’s privacy practices, highlighting pressing need for legislative reform to adequately protect the rights of Canadians

OTTAWA, April 25, 2019 – Facebook committed serious contraventions of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians, an investigation has found.

Despite its public acknowledgement of a “major breach of trust” in the Cambridge Analytica scandal, Facebook disputes the investigation findings of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia. The company also refuses to implement recommendations to address deficiencies.

“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” says Privacy Commissioner of Canada Daniel Therrien. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.

“The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified – or even acknowledge that it broke the law – is extremely concerning.”

“Facebook has spent more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy,” B.C. Information and Privacy Commissioner Michael McEvoy says, “but when it comes to taking concrete actions needed to fix transgressions they demonstrate disregard.”

Commissioner McEvoy says Facebook’s actions point to the need for giving provincial and federal privacy regulators stronger sanctioning power in order to protect the public’s interests. “The ability to levy meaningful fines would be an important starting point,” he says.

The findings and Facebook’s rejection of the report’s recommendations highlight critical weaknesses within the current Canadian privacy protection framework and underscore an urgent need for stronger privacy laws, according to both Commissioners.

“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions,” says Commissioner Therrien.

In addition to the power to levy financial penalties on companies, both Commissioners say they should also be given broader authority to inspect the practices of organizations to independently confirm privacy laws are being respected. This measure would be in alignment with the powers that exist in the U.K. and several other countries.

Giving the federal Commissioner order-making powers would also ensure that his findings and remedial measures are binding on organizations that refuse to comply with the law. 

The complaint that initiated the investigation followed media reports that Facebook had allowed an organization to use an app to access users’ personal information and that some of the data was then shared with other organizations, including Cambridge Analytica, which was involved in U.S. political campaigns.

The app, at one point called “This is Your Digital Life,” encouraged users to complete a personality quiz. It collected information about users who installed the app as well as their Facebook “friends.” Some 300,000 Facebook users worldwide added the app, leading to the potential disclosure of the personal information of approximately 87 million others, including more than 600,000 Canadians.

The investigation revealed Facebook violated federal and B.C. privacy laws in a number of respects. The specific deficiencies include:

Unauthorized access

Facebook’s superficial and ineffective safeguards and consent mechanisms resulted in a third-party app’s unauthorized access to the information of millions of Facebook users. Some of that information was subsequently used for political purposes.

Lack of meaningful consent from “friends of friends”

Facebook failed to obtain meaningful consent from both the users who installed the app as well as those users’ “friends,” whose personal information Facebook also disclosed.

No proper oversight over privacy practices of apps

Facebook did not exercise proper oversight with respect to the privacy practices of apps on its platform.  It relied on contractual terms with apps to protect against unauthorized access to user information; however, its approach to monitoring compliance with those terms was wholly inadequate.

Overall lack of responsibility for personal information

A basic principle of privacy laws is that organizations are responsible for the personal information under their control. Instead, Facebook attempted to shift responsibility for protecting personal information to the apps on its platform, as well as to users themselves.

The failures identified in the investigation are particularly concerning given that a 2009 investigation of Facebook by the federal Commissioner’s office also found contraventions with respect to seeking overly broad, uninformed consent for disclosures of personal information to third-party apps, as well as inadequate monitoring to protect against unauthorized access by those apps.

If Facebook had implemented the 2009 investigation’s recommendations meaningfully, the risk of unauthorized access and use of Canadians’ personal information by third party apps could have been avoided or significantly mitigated.

Facebook’s refusal to accept the Commissioners’ recommendations means there is a high risk that the personal information of Canadians could be used in ways that they do not know or suspect, exposing them to potential harms.

Given the extent and severity of the issues identified, the Commissioners sought to implement measures to ensure the company respects its accountability and other privacy obligations in the future. However, Facebook refused to voluntarily submit to audits of its privacy policies and practices over the next five years.

The Office of the Privacy Commissioner of Canada plans to take the matter to Federal Court to seek an order to force the company to correct its privacy practices.

The Office of the Information and Privacy Commissioner for B.C. reserves its right under the Personal Information Protection Act to consider future actions against Facebook.  

Related documents:

* Note: my yellow highlighting

Nor should this alleged 'mistake' made by Facebook cause surprise.......

The New York Times, 25 April 2019:

SAN FRANCISCO — The New York State attorney general’s office plans to open an investigation into Facebook’s unauthorized collection of more than 1.5 million users’ email address books, according to two people briefed on the matter.

The inquiry concerns a practice unearthed in April in which Facebook harvested the email contact lists of a portion of new users who signed up for the network after 2016, according to the two people, who spoke on condition of anonymity because the inquiry had not been officially announced.

Those lists were then used to improve Facebook’s ad-targeting algorithms and other friend connections across the network.

The investigation was confirmed late Thursday afternoon by the attorney general’s office.

“Facebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data,” said Letitia James, the attorney general of New York, in a statement. “It is time Facebook is held accountable for how it handles consumers’ personal information.”…

Users were not notified that their contact lists were being harvested at the time. Facebook shuttered the contact list collection mechanism shortly after the issue was discovered by the press…..

Facebook Inc's rapacious business practices has been the death of online privacy and now threatens the democratic process.

Friday, 24 August 2018

Australian Attorney-General releases a draft bill which will allow the gaoling of Australian citizens for 10 years if they refuse to reveal passwords or encryption codes



According to Crikey.com.au on 15 August 2018:

In addition to its village idiot approach to undermining end-to-end encryption in new surveillance laws, the government is also seeking a blunt-force trauma approach: it wants to jail people for a decade if they refuse to give up the password to their devices.

Under the draft Assistance and Access Bill 2018 unveiled yesterday, the government is giving police, spy agencies and regulators like the ATO the power to demand that tech companies help them plant malware on computers and phones to help it defeat end-to-end encryption.


Wednesday, 22 August 2018

And the warnings continue about My Health Record.....


Financial Review, 13 August 2018:

One of the world's leading experts in cyber security policy has warned the manipulation of health data is one of his biggest concerns facing society, as debate continues to rage about the long-term viability of the government's controversial opt-out My Health Record.

Former Pentagon chief strategy officer for cyber policy and newly appointed head of cyber security strategy for data centre security company Illumio, Jonathan Reiber, told The Australian Financial Review the health data of MPs and business leaders would be of particular interest to cyber criminals.

"If I'm a malicious actor wanting to cause discontent, I would be interested in that," he said.

"If you get access to the health information of key leaders, you can understand what they like, who they are and what their problems are. [Cyber criminals] would want to look at a segment of 50 to 100 key leaders in the country, figure out data for intelligence purposes and then manipulate the data for the negative."

Earlier this month Health Minister Greg Hunt announced that the government would redraft the legislation surrounding My Health Record to restrict police access and allow records to be deleted permanently. 

He had previously copped criticism for saying the digital health database had "military-grade security", despite not having two-factor authentication protocols.


The Sydney Morning Herald, 14 August 2018:

Labor's health spokeswoman Catherine King said the government's decision to switch to an opt-out model, which Labor originally supported, gave rise to "a whole range of significant privacy and security issues that we don't think were thought of in the original enabling legislation".

"Are they then able to opt-out when they become adults? What's happening in terms of survivors of domestic violence and the capacity through the creation of a record by an abusing partner, of a record for their children or agreement to a record for their children, what security is in place to ensure that they are not traced?"

Legal experts have warned that the system provides a loophole for a violent person to create a record for their child without their ex-partner's consent, potentially allowing them to track down their estranged family's location, as revealed by Fairfax Media last month.

Ms King also highlighted concerns raised about access to medical records by health insurers, including in relation to worker’s compensation claims, which the government has said will not occur.


"We want to make sure that's not the case and we want to make sure that's not the case under the law," she said.


Some people may find their My Health Record places them at risk of stigma and discrimination or may cause safety issues.

You may wish to carefully consider whether you want your health records held or shared if you:

* have a criminal record or are affected by the criminal justice system
* use or have used drugs
* live with a lifelong transmissible condition such as HIV or hepatitis B
* have or had hepatitis C
* are not on treatment after it was recommended
* are sexually active and test regularly for STIs
* are or have been a sex worker
* are transgender or intersex
* are bisexual, lesbian or gay
* have lived with mental health issues
* have been pregnant or terminated a pregnancy
* are a health care worker.

Tuesday, 7 August 2018

Australian Digital Health Agency is considering adding DNA data to My Health Record


Crikey.com.au, 6 April 2018:

DNA DEBATE

The federal government’s controversial My Health Record program is capable of storing genomic data, such as cancer risks, using technology that both has huge research applications and highlights privacy and security concerns.

The Sydney Morning Herald reports that genome-sequencing company Genome.One, which can track genetic variations and therefore disease risks, has built “necessary infrastructure” for uploading sensitive genomic data into the opt-out system.

University of Canberra privacy expert Bruce Arnold has criticised the inherent risks of DNA-tracking technology and, just a week after the government backdown on police access to My Health Records, today’s news as again demonstrating a lack public consultation.

The Australian Digital Health Agency (ADHA) which is responsibe for My Health Record gave Genome.One, a wholly-owned subsidiary of The Garvan Institute, $40,000 in September 2017 to support the development of this software.

Its GoExplore™ software provides sequencing and analyses of patients’ DNA samples to assesses their risk of developing 52 hereditary conditions, including 31 cancers, 13 heart conditions, as well several other conditions where monitoring or intervention can be of benefit. 

In a change of focus, Genome.One and The Garvan Institute are reportedly no longer offering clinical reporting for genetic disease diagnosis or personal health genomics in Australia. This service was priced at $6,400 plus GST, with no Medicare rebate.

Staffing numbers in Genome.One have been severely cut, new capital is being sought and, Gavan has stated that it intends to spin off Genome.One software into a new company in which it will be a minority shareholder.

However, Genome.One still intends to pilot its genomics technology integrated into GP practice software and on !8 April 2018 its CEO stated; “We're working with some electronic medical record providers and we're hoping that we can get a trial underway at some point this year”.

Sunday, 5 August 2018

Tell me again why the Turnbull Government is insisting My Health Record will become mandatory by the end of October 2018?


It is not just ordinary health care consumers who have concerns about the My Health Record database, system design, privacy issues and ethical considerations.

It is not just the Turnbull Government which has not sufficiently prepared public and private health care organisations for the nationwide rollout of mass personal and health information collection - the organisations themselves are not ready.

Lewis Ryan (Academic GP Registrar)
* 91 % of GP Registrars have never used My Health Record in a clinical context

* 65% of GP Registrars have never discussed My Health Record with a patient

* 78%  of GP Registrars have never received training in how to use My Health Record

* 73% of GP Registrars say lack of training is a barrier to using My Health Record

* 71% of  GP Registrars who have used the My Health Record system say that the user interface is a barrier

* Only 21% of  GP Registrars believe privacy is well protected in the My Health Record system

In fact Australia-wide only 6,510 general practice organisations to date have registered to use My Health Record and these would only represent a fraction of the 35,982 GPs practicing across the country in 2016-17.


UPDATE

Healthcare IT News, 3 August 2018:
The Federal Government’s Health Care Homes is forcing patients to have a My Health Record to receive chronic care management through the program, raising ethical questions and concerns about discrimination.
The government’s Health Care Homes trial provides coordinated care for those with chronic and complex diseases through more than 200 GP practices and Aboriginal Community Controlled Health Services nationally, and enrolment in the program requires patients to have a My Health Record or be willing to get one.
But GP and former AMA president Dr Kerryn Phelps claimed the demand for patients to sign up to the national health database to access Health Care Homes support is unethical.
“I have massive ethical concerns about that, particularly given the concerns around privacy and security of My Health Record. It is discriminatory and it should be removed,” Phelps told Healthcare IT News Australia.
Under a two-year trial beginning in late 2017, up to 65,000 people are eligible to become Health Care Homes patients as part of a government-funded initiative to improve care for those with long-term conditions including diabetes, arthritis, and heart and lung diseases.
Patients in the program receive coordinated care from a team including their GP, specialists and allied health professionals and according to the Department of Health: “All Health Care Homes’ patients need to have a My Health Record. If you don’t have a My Health Record, your care team will sign you up.”
Phelps said as such patients who don’t want a My Health Record have been unable to access a health service they would otherwise be entitled to.
“When you speak to doctors who are in involved in the Heath Care Homes trial, their experience is that some patients are refusing to sign up because they don’t want a My Health Record. So it is a discriminatory requirement.”
It has also raised concerns about possible future government efforts to compel Australians to have My Health Records.
“The general feedback I’m getting is that the Health Care Homes trial is very disappointing to say the least but, nonetheless, what this shows is that signing up to My Health Record could just be made a prerequisite to sign up for other things like Centrelink payments or workers compensation.”
Human rights lawyer and Digital Rights Watch board member Lizzie O’Shea claims patients should have a right to choose whether they are signed up to the government’s online medical record without it affecting their healthcare.
“It is deeply concerning to see health services force their patients to use what has clearly been shown to be a flawed and invasive system. My Health Record has had sustained criticism from privacy advocates, academics and health professionals, and questions still remain to be answered on the privacy and security of how individual's data will be stored, accessed and protected,” O’Shea said. [my yellow highlighting]

Friday, 3 August 2018

NSW Roads & Maritime Services bungling and corrupt in 2018?


NSW Minister for Roads Maritime and Freight has a policy of sending IT jobs offshore?

With the national unemployment rate running at 5.4 per cent nationally in June 2018 and the New South Wales rate sitting at 4.8 per cent or 192,000 people, is the Minister for Roads Maritime and Freight & Nationals MP for Oxley Melinda Pavey secretly closing off employment opportunities for Australian information technology workers as a departmental cost-cutting measure?

These are not exactly the highest paying jobs in this country, averaging $46,000-$100,000 pa and, with the IT worker pool standing at est. 600,000+ nationally it is not as though there is an obvious scarcity of skilled workers available for hire.

So at first it was not easy to explain this...... 

The Daily Telegraph, 20 July 2018. P.2:

Leaked details of a meeting between Roads and Maritime­ Services and seven companies bidding for a $100 million IT contract contradict­ state government denials that it mandated a 30 per cent quota of cut-price overseas workers.

The February 13 meeting, convened by chief information officer Rob Putter, came six days after the RMS called for tenders to provide IT services, on the condition that a “minimum” of 20 per cent of jobs would be sent overseas in the first year and 30 per cent in the second year.

Three Indian firms, Tata Consultancy Services, Wipro, and Tech Mahindra, attended the meeting along with Fujitsu, Datacom, Accenture and Wollongong company itree, with 25 people in the room and 18 dialling in.

A source who attended the meeting said Mr Putter showed a PowerPoint slide titled RMS Pricing Principles which stated the RMS was “seeking to achieve the lowest­ possible cost” to provide­ the IT service.

The slide stated RMS’s “target offshore resource utilisation­” required 20 per cent of jobs offshore in year one, 30 per cent in year two and a “measured ongoing ­app­roach to increase offshore efforts” over the rest of the seven-year contract.

Photocopies of the slide were provided to attendees, who “discussed at length ... the need to offshore resources (jobs)”, the source said.

“The RMS personnel stated that it was mandated by the (Roads) Minister that to achieve the lowest price they need to seek offshore resources,” the source said. 

“This clearly makes a joke of the Minister’s denial that this tender mandated offshoring.” As The Daily Telegraph revealed last week, the RMS had called for companies to provide “development, testing, maintenance and service management for transport-related software applications and in-the-field hardware”.…..

The RMS announced Mr Putter’s resignation last week.

Despite NSW Government denials, the fact remains that it is highly likely that jobs were to be sourced overseas as the RMS IT operational budget blowout had reached $80 million in the 12 months to June 2018, following a $40 million blowout in the operational budget in the previous financial year.

It appears that Roads and Maritime Services has bungled its $1 billion IT systems upgrade with more bad news expected.

Dollars for mates?

Crikey.com.au, 2 August 2018:

New South Wales transport consultancy firm MU Group [MURPHY UDAYAN GROUP*] 
is under fire after six government contracts, none of which went to public tender, were awarded to the company after it hired former state roads minister 
Duncan Gay.

The Daily Telegraph ($) reports that the firm has been awarded contracts from the Roads and Maritime Services agency worth over $4.46 million after hiring the former department head as an “executive adviser” just weeks after Gay left parliament in late 2017. The firm has reportedly hired at least 11 former Roads and Maritime Services staff members, including two as directors, however Gay says he has “not been involved in any RMS contracts that MU have won”.

* Director and Founder of the MU Group Matthew Murphy is a former Roads and Maritime Service civil engineer in Project/Contract Management with extensive experience on infrastructure projects for urban roads, highways including Pacific Highway Upgrades.