Thousands of SA public health patients caught up in data breach of third-party platform

Thousands of South Australian public health patients are being contacted over a data breach of a third-party run portal.

The state government said “unintentional human error” by patient portal Personify Care allowed an “unauthorised third party” to delete a folder used to store patient documents uploaded to an online platform.

Department of Health and Wellbeing chief executive, Dr Robyn Lawrence, said the folder contained the health information of 121 patients on “supervised medication protocols”.

“What they were uploading was basically copies of themselves taking their medication,” Dr Lawrence said.

“They were on supervised medication protocols so they were confirming to their doctors that they were taking their medication in line with the protocols.”

The state government said the folder also contained the name and phone number of 12,624 patients. That information was used to “invite them” to use the system.

Health Minister Chris Picton said the files were deleted and there was no evidence that the data had been copied or downloaded.

Dr Lawrence described it as a “disappointing incident”, but said patients should continue to use Personify Care.

“Please don’t stop using the system without speaking to your practitioner first,” she said.

Mr Picton said Personify Care told them they were one of “a number of organisations” impacted by the incident, and patients were being contacted directly by the company.

Mr Picton said the government first learned about the data breach four days after it occurred on October 16. They were given a briefing on Tuesday. 

The latest incident is the second in as many weeks involving data from a government agency held by a third-party.

Opposition health spokeswoman Ashton Hurn said “appropriate steps” must be taken to “ensure the integrity of the system”.

“There’s nothing more sensitive than our individual medical records, so it’s incredibly concerning to learn that the records of more than a hundred South Australians were able to be tampered with — particularly off the back of the Super SA cyber attack,” Ms Hurn said.

Dr Lawrence said the deleted data had not been lost because there were back-up copies.

“At this stage our advice is that there’s no evidence that information has actually been taken away and it’s certainly not visible on the dark web through the processes that the digital agencies used,” she said.

Personify Care’s chief executive, Ken Saman, said the company had verified no other patient information was compromised and “corrective measures” had been put in place to “prevent such incidents from recurring”.

“We have also confirmed the situation has been resolved, and the risk to patient information has been mitigated,” Mr Saman said in a statement.

“The incident was detected by our response team within two hours, corrective measures were enacted and deleted data restored within the following two hours.”

Monash University cybersecurity professor Nigel Phair said statistics showed the health sector was the hardest hit by data breaches because it had the “juicer data”.

“The number one sector that gets hit with the most amount of data breaches is unsurprisingly is the health sector and that’s been consistent through both the number and the amount,” Professor Phair said.

While the government has moved to assure patients that their data does not appear to have been downloaded or copied, Professor Phair said any breach was of concern.

“I think people should be concerned every time there is a data breach,” he said.

“Every time there is the potential loss of personally identifying information of consumers is a really serious event and needs to be treated as such.”