When she addressed the annual conference of the Royal Australian College of General Practitioners in Perth last week, Health Minister Sussan Ley was already in a hostile environment.
Doctors are angry at cost-saving measures that are putting pressure on their fees. They believe the government has broken promises, used them as a collective cash cow and left them to pass on higher costs to their patients.
Standing at the podium, Ley surprised the GPs by apologising for something else entirely.
Ley revealed that the health department had inadvertently committed a potentially serious breach of the Privacy Act by deliberately publishing supposedly anonymous Medicare and pharmaceutical claims data involving GPs and three million of their patients.
To help health researchers provide better analysis and contribute to health policy, the department had made public âde-identifiedâ records of claims under the Medicare Benefits Schedule and Pharmaceutical Benefits Scheme for a randomly selected sample of 10 per cent of the Australian population.
But it had also included just enough information about its encryption algorithms to enable a competent code-breaker to unravel the jumbled numbers that replaced doctorsâ provider numbers and potentially identify them.
Ley did not explain why, when doctors who discover a privacy breach are obliged to alert those affected immediately, the government waited 16 days.
It took analysts at the University of Melbourneâs Department of Computing and Information Systems just a few days to do it.
âYes, there will always be risks, no matter how slight, around the release of any de-identified data,â Ley told the conference last Thursday morning, as she segued to a nothing-to-see-here confession, five minutes into a half-hour speech. âItâs how we manage these risks when they arise that is important.â
Her departmentâs risk management is now the subject of considerable discussion across government about how the release of information on the Department of Prime Minister and Cabinetâs data.gov.au website could have been so badly handled.
Ley revealed that the University of Melbourne researchers had notified her department of âa vulnerabilityâ in the encrypted data on September 8 â the researchers say it was actually September 12 â and âthat individual healthcare providers could possibly be re-identifiedâ.
Ley assured doctors there were âno provider names in the datasetâ and no patient information had been âcompromisedâ.
But the analysts had shown doctor re-identification was possible. They simply chose not to do it.
âItâs certainly something we take seriously and we apologise for any concern this may cause you as providers,â Ley told the doctors.
Ley said they should not be concerned because Attorney-General George Brandis was preparing legislation to make it a criminal offence to publish re-identified records or âcounsel, procure, facilitate or encourageâ them to be published or communicated.
Revealing the new offence by press release on September 28 â the night before Leyâs speech â Brandis announced it would be legislated when parliament resumes and backdated to that day.
âThe publication of major datasets is an important part of 21st century government providing a great benefit to the community,â Brandis said.
But the government also recognised privacy was âof paramount importanceâ. Strict procedures were applied to ensure data was anonymous.
âHowever, with advances of technology, methods that were sufficient to de-identify data in the past may become susceptible to re-identification in the future,â he said.
What he did not say was that the law was being changed because those methods had already failed.
And what the health minister did not say the next morning was that with the addition of a few extra obtainable details about individuals, the decrypted health provider data could be used to identify some patients, match up their records, and form a picture of the tests, procedures and drugs that people in the sample had undertaken and been prescribed, revealing their most intimate health information. It would not be easy, but it is possible.
A spokeswoman for the department said that while the academic team had shown the health service provider numbers could be decrypted, âthis information has not been published or disseminatedâ.
âIf decrypted, the information would reveal the health service provider number only. Other information would need to be sourced to identify any specific healthcare provider. There is no evidence that this has happened. No patient information has been identified, no patientâs privacy has been compromised in any way.â
The spokeswoman confirmed the data, understood to have been made publicly available in August, had been downloaded 1500 times, 500 times via academic or government domains and the rest by health insurance companies, âconsultanciesâ, ânot-for-profit organisationsâ and other companies or individuals unnamed.
The government canât say for sure who might already have the data or how they might have used it before the new law takes effect, only that it has not been âdisseminatedâ.
Ley did not explain why, when doctors and others who might discover a privacy breach are legally obliged to alert those affected immediately, the government waited 16 days.
A spokesman for the minister did not return The Saturday Paperâs calls.
The RACGP chair of e-health and practice systems, Nathan Pinskier, says that, at the very least, the time lag indicates a double standard.
âThereâs a question around transparent and open disclosure,â Pinskier tells The Saturday Paper. âWeâre expected to be held to the highest account but they donât do the same thing.â
The Melbourne University team who blew the whistle on the health departmentâs mistake is Dr Chris Culnane, Dr Benjamin Rubenstein and Dr Vanessa Teague. They set out to see how strong the governmentâs encryption was. It turns out, not very strong.
Teague tells The Saturday Paper each anonymised set of data âcontained a lot of detail about individualsâ.
She emphasises that the patient records themselves could not automatically be decrypted â other specific information would still be needed.
But while those identities were hidden using numbers the team had not been able to decrypt, anyone with their same skills and a bit of extra detail â such as an individualâs age, roughly where they saw a doctor or knowledge of recent procedures or treatments â could piece together the records.
The department says the published data excluded some rare events to help anonymise it.
âIt depends on how much is known about the person and how unusual the person is,â Teague says. But she confirmed individuals in the sample were still potentially identifiable.
âThe question, if indeed the person is there (in the sample), is how much do you need to know and how unusual do they need to be?â
The decrypted data can potentially be misused, should individuals be identified.
The health history can include tests for diseases, mental health consultations, abortions and signs of chronic illness.
That information could be valuable to an insurance company wanting to increase premiums or refuse cover to individuals based on risk.
An employer might use it to check up on staff. An ex-spouse seeking ammunition for a custody battle might be interested, or a media organisation trading in celebrity gossip, or a stalker, or a blackmailer â hence the new offence.
Based on re-identified provider records, an insurer could examine a doctorâs prescribing history without necessarily having the context of each referral or script.
âThat sort of data is really useful as a peer comparison tool between practices,â the RACGPâs Nathan Pinskier says. â⌠But just to expose it out in the public is of concern.â
Laborâs shadow health minister Catherine King says the Turnbull government âhas serious questions to answerâ.
The governmentâs new law will punish any publication that occurs after last Wednesday but it canât be sure what might have been privately acted on before then.
âWe showed the encryption could be reversed and that was clearly not meant to happen,â Melbourne Universityâs Teague says.
The team published their findings without revealing the data itself.
âPublishing data can bring great benefits to research but also great risks to privacy,â its report said. âThe mathematical details matter: itâs a technically challenging task to understand whether a particular algorithm securely encrypts data or not. Datasets containing sensitive information about individuals clearly deserve more caution than others, and may not always be suitable for open public release.â
Teague says it is âan important thing to investigateâ.
Once alerted, the department called in the governmentâs cybersecurity experts and began an investigation.
It notified the privacy commissioner, Timothy Pilgrim, who has started one of his own.
âThe primary purpose of the investigation is to assess whether any personal information has been compromised or is at risk of compromise,â Pilgrim says, âand to assess the adequacy of the Department of Healthâs processes for de-identifying information for publication.â
The health department has now asked the university researchers to help improve future encryption processes.
Teague says they will advise on the risks present in whatâs already been released â another indication the government canât quantify those right now â and how data should be treated in future âso we can be confident before we put it up that it doesnât pose a risk to anybodyâs privacyâ.
The college of GPs points out that with doctors being shifted to the governmentâs new digitised e-health system, this was not great reassurance.
âIf the government canât manage one dataset, how can it guarantee it can manage another?â Nathan Pinskier asks.
The transition to the national e-health system has already been slower than the government hoped, prompting it to provide more time and funding for struggling general practices to make the leap.
But the extension until 2020 of the already three-year freeze on the Medicare rebate doctors are paid per consultation has fostered ill will. Advertisements against the measure have been back on television. Doctors are not going without a fight.
New RACGP president Bastian Seidel says that when the government rebate for taking out private health insurance is above inflation, at more than 4 per cent, itâs not logical that the rebate for visiting a GP in the public system doesnât move with inflation at all.
He says the latest government figures, published last week, show a $177Â million annual underspend on bulk-billing â $150 million of which could be used to fund a rebate rise in line with inflation.
But while assuring doctors she wanted to work âin partnershipâ, Ley also said she needed to save money and their requests were ârarely matched with alternative ways to pay for themâ.
She told doctors: âThe responsibility for keeping the budget balanced in our relationship canât be one-sided.â
Australian Medical Association president Michael Gannon had a meeting with Ley last week. He has since written to her, outlining ongoing concerns.
âWhile the Medicare freeze is not the only issue in the health system, it does represent a speed bump to general engagement,â Gannon says.
GPs are also extremely unhappy about the winding back of bulk-billing incentives for radiology and pathology â now deferred until January â which will likely see a patient co-payment introduced.
And they are livid about a pre-election government deal struck with big pathology companies to force GPs to cap the rents they charge for co-located pathology collection centres.
In the face of government assurances that bulk-billing rates remain high, the college of GPs commissioned its own survey, showing they had fallen from 80 per cent to 69 per cent.
âThese are very worrying signals from the general practice community,â Consumers Health Forum chief executive Leanne Wells says.
Seidel says the governmentâs measures will lead to patients having to pay more without better health outcomes.
âIf you are writing policies that are not evidence-based, donât be surprised by what the consequences are,â he says.
Being effectively ambushed by Leyâs revelation about the data breach didnât help relations either. Seidel and senior colleagues were informed an hour before the ministerâs speech.
The health department says it will keep publishing data to assist health researchers. Private Healthcare Australiaâs chief executive, Dr Rachel David, urged that the breach ânot derail the process of providing high-value datasets to researchers and stakeholdersâ. Leanne Wells also says it is crucial to knowing âwhat works and what doesnâtâ but that the incident âpoints to the need for rigorous assessment of risks to privacy and safeguardsâ.
The dataset is no longer online. The department says it âwill only be restored when concerns about its potential vulnerabilities are resolvedâ.
Cyber complexities notwithstanding, resolving that may prove easiest of all.