Get all your news in one place.
100’s of premium titles.
One app.
Start reading
ABC News
ABC News
Health
Exclusive by Jack Hislop

Thousands of identifiable NT patient health files sent to overseas-based software vendor in government data breach

More than 3,000 identifiable health records were sent to the international company in 2019. ( ABC News: Randi Dahnial)

The Northern Territory government has breached the privacy of thousands of public health patients by sending identifiable medical records to a software vendor with offices in Europe, South America and China.

A preliminary incident report, obtained by the ABC through freedom of information laws, shows the extent of identifiable patient data transferred between NT Health, the Core Clinical Systems Renewal Program (CCSRP) and global software vendor Intersystems between 2018 and 2019.

The CCSRP – which sits within the Department of Corporate and Digital Development — was established in 2017 to integrate four NT Health patient record systems into one, at a cost to taxpayers of $259 million.

The new health record system, named "Acacia", uses software purchased from Intersystems.

Patients from across the NT health system have been impacted by the breach.  (ABC News: Che Chorley)

The records of 50,616 patients were sent from NT Health to the CCSRP.

Then, as part of the arrangement, 3,277 identifiable patient records were transferred from the CCSRP to Intersystems.

That is according to Intersystems, which was asked by the CCSRP for an audit of the transferable data prior to the incident report.

But experts said it was not clear whether every file sent to Intersystems was found.

Transfer of data a 'systemic issue'

The incident report was commissioned by NT Health in 2019 to quantify the scale of data transferred.

The report established four criteria to evaluate the clinical risk associated with each record sent between NT Health, CCSRP and Intersystems.

Two records transferred from CCSRP to Intersystems were classed as "very-high risk", with 476 regarded as "high risk".

Health records were sent from NT Health to the CCSRP before a number were sent to Intersystems.  (ABC News: Randi Dahnial)

To be ranked in these two "risk rating" categories, a patient's full name had to be visible, with "highly sensitive" or "sensitive" information present.

Patient items included psychology reports and psychiatric facility visits, termination of pregnancy or stillbirth records, and electroconvulsive therapy — also known as electric shock therapy — records.

Oncology treatment location visits, organ donation and receipt details were also transferred.

All other patient items were either classed as "medium risk" or "low risk", with the report stating the "transfer of identifiable data was a systemic issue and not performed by a single malign body".

The incident was never made public by then-health minister and current Chief Minister Natasha Fyles.

In a statement to the ABC, Ms Fyles said the incident was referred to the NT Information Commissioner.

Natasha Fyles, who was the health minister at the time, did not make the breach public.  (ABC News: Michael Franchi)

Intersystems — which has its headquarters in the United States but has offices across 26 other countries — didn't respond to questions from the ABC.

'How far have the files been spread?'

The incident report also revealed that no data governance framework was set by either NT Health or the Acacia project team prior to the transfers.

Cyber security expert at the University of New South Wales Professor Richard Buckland said Northern Territory residents had a right to be worried.

"How far have the files been spread?" he questioned.

"Who knows if [Intersystems] found all the files that were actually sent?"

Other cyber security experts have told the ABC that normal practice when transferring health data is to undertake privacy impact and security impact assessments.

Richard Buckland says the government should have transferred mock data.  (ABC: David Lewis)

"There'd be a data governance plan," Professor Buckland said.

"They would de-identify [the data], it would have been encrypted, and there would have been processes in place to control who can look at it, and for how long, and it would have been securely deleted after.

"I suspect if a data governance plan had been worked out, they wouldn't have even used live data.

"They would have made mock data based on live data, because there is no reason, in setting up a system, to use live data — you can make close enough replicas."

Risk of data hack

Sending identifiable patient health data to a software vendor also created an opportunity for it to be hacked, Professor Buckland said.

Professor Buckland says the data could be hacked and made public or used as blackmail.  (ABC News: Maren Preuss)

"The risks that people face are the same risks we saw with Medibank, that there's confidential data that you might be embarrassed about being released," he said. 

"If that data was not properly looked after and got into the public domain or bad guys got a hold of it, then people could be blackmailed … or ransomed.

"The big danger is if you were in rehabilitation or had electroconvulsive therapy … and that gets released into the public, then that will be visible to anyone who googles your name in the future."

In a statement, NT Health said the files have been permanently deleted and internal controls have since been strengthened.

If you're unable to load the form, you can access it here

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.