The My Health Record system was the subject of an attempted hack in September last year, the Australian Digital Health Agency has revealed.
National health chief information officer Ronan O’Connor told a parliamentary inquiry into cyber resilience the cyber incident was one of two “potential data breaches” to occur since July 2019.
Both were reported to the Office of the Australian Information Commissioner in line with agency's requirements under the My Health Records Act and neither resulted in any access to the system or data loss.
O’Connor said the first data breach notification related to a “potential compromise to external IT infrastructure supporting the wider My Health Record system”.
“Somebody tried to hack our system, so the external perimeter for our system,” he said on Tuesday.
“I want to assure the committee that there was no access into the My Health Record whatsoever. No information or personal sensitive information was accessed.”
O’Connor said the ADHA’s security monitoring tools picked up the “potential vulnerability within the system and as a consequence of that we notified the OAIC”.
“The OAIC has received what we shared with them and we also worked with the Australian Cyber Security Centre, and on that basis they were happy with the outcome,” he said.
A spokesperson told iTnews the potential threat to supporting IT infrastructure connected to the My Health Record system was identified on 18 September 2019 and was promptly addressed.
“In the context of this matter, external IT infrastructure supporting the My Health Record system was subjected to cyber reconnaissance activities,” the spokesperson said.
“The reconnaissance activities did not involve any access to the My Health Record system core infrastructure where health records are stored and there was no access to any healthcare data at any time.”
O’Connor said the ADHA or ACSC was unable to identify the actor involved in the attempted breach.
“We don't have that level of information. We worked very closely with the ACSC and on that basis we don't know the actor in this instance,” he said.
O’Connor said the second data breach investigation related to “a state health care facility”, but turned out to be a false alarm.
“They became aware that the system had potentially been accessed without the healthcare recipients authority,” he said.
“After an investigation was undertaken, it was confirmed that the individual whose record was accessed was indeed receiving healthcare at that facility at the time of access, so there was no compromise.”
The reduction in breach notifications is a markable improvement on the 38 potential data breaches that occurred in the 2018-19 financial year.
O’Connor also noted the the ADHA is fully compliant with the essential eight mitigation strategies and has a comprehensive security program that is overseen by a dedicated cyber security centre.
“We’ve got quite a comprehensive program of system and security monitoring, whereby we have specialist real-time monitoring tools configured and tuned to automatically detect any anomalies in the system itself,” he said.
“This auditing of activity ranges from system to system activity, so in relation to endpoints. All traffic [that] stems to and from the My Health Record System is monitored.
“And if there is any unusual behaviours or activity we’ve got the opportunity to notify that organisation and then in instances where we we’ve got particular concern we can suspend access to the My Health Record system.”
Updated Wednesday 20 May to include additional information from ADHA.