Cyber Incident Victim: Australian Digital Health Agency
Date:
Oct 2020
Location:
Australia
Summary
Two security incidents compromised the My Health Record system during the reporting period. The first involved a breach of external IT infrastructure supporting the system, with no health information accessed or stolen, while the second consisted of unauthorized access to an individual's record by a member of their treating team using legitimate credentials. These incidents marked a significant reduction compared to prior years, occurring alongside increased system usage and document uploads, though COVID-19 response priorities delayed some planned enhancements and connectivity targets for private pathology and diagnostic imaging providers.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
During the 2019-20 financial year, the Australian Digital Health Agency (ADHA) reported two security incidents affecting the My Health Record system. The first incident involved a breach of external IT infrastructure supporting the My Health Record system, which was promptly identified and addressed. ADHA confirmed no health information was compromised or stolen during this event and reported the matter to the Office of the Australian Information Commissioner (OAIC). The second incident consisted of unauthorized access to an individual's My Health Record, reported by a state or territory authority. Investigation revealed a member of the affected individual's healthcare treatment team used legitimate login credentials to access the record without proper authorization. ADHA did not disclose whether disciplinary or legal actions resulted from this access. These two incidents marked a substantial reduction from the 38 security breaches documented in the previous financial year.
As of 30 June 2020, the My Health Record system contained 22.8 million active records, with 1.75 million consumers accessing their records via the national portal and 810 million clinical documents uploaded during the financial year. The incidents occurred alongside operational challenges, including ADHA's failure to meet its 80% connection target for private pathology labs, achieving only 67% participation. Conversely, private diagnostic imaging practices exceeded their 20% target by reaching 23% connectivity. ADHA attributed pathology shortfalls to ongoing negotiations with larger providers and software upgrade complexities. COVID-19 response priorities delayed multiple ADHA projects, including enhancements to secure messaging systems and formal governance arrangements for interoperability principles. The pandemic diverted health sector resources, impacting software vendor capacity to deliver scheduled system improvements. No direct correlation was established between these delays and the security incidents.