Retracted health records can be used to re-identify patients: study

Medicare data released, then retracted by the Health Department in 2016 can be used to re-identify patients, potentially revealing sensitive information such as mental health treatment and pregnancy terminations.

GP checking a patient's blood pressure.

Details of sensitive health information could potentially be exposed according to new study. Source: AAP

A released on Monday by the University of Melbourne has used retracted Department of Health records from the Medicare Benefits Scheme and Pharmaceutical Benefits Scheme, that were published online in August 2016, to determine the identity of several Australians including three MPs and an AFL footballer.

The medical billing records of about 2.9 million Australians were swiftly pulled offline when the same Melbourne University team found they could determine service providers based on the published information, prompting a privacy scare.

In their findings, Dr Chris Culnane, Dr Benjamin Rubinstein and Dr Vanessa Teague said they had used the de-identified historical health data to again make identifications, potentially exposing sensitive information.

"We found that patients can be re-identified, without decryption, through a process of linking the encrypted parts of the record with known information about the individual such as medical procedures and year of birth," Dr Culnane said.

"This shows the surprising ease with which de-identification can fail, highlighting the risky balance between data sharing and privacy."

Dr Teague, one of the researchers from the university's School of Computing and Information Systems has called for greater controls to ensure private information amidst the needs of having data available to facilitate research and advise public policy.

"We need much more controlled release in a secure research environment, as well as the ability to provide patients greater control and visibility over their data."

A Department of Health spokesperson told SBS News it took this matter "very seriously" and had already referred this to the Privacy Commissioner. 

"This matter dates back to 2016 and since then the Australian government has taken further steps to protect and manage data," a statement from the department said.

"The department is working with the University of Melbourne and has already acted to improve its processes.

"The Department has not been aware of anyone being identified."

2 min read
Published 18 December 2017 at 6:43pm
By Laurie Lawira