ONE in 10 Australians' private health records have been exposed in a major error by the Department of Health that shows what medication patients are on and whether they are seeing a psychologist.
Heath data from the Medicare Benefits Scheme and Pharmaceutical Benefits Scheme released in August 2016 can be traced back to the individual, University of Melbourne researchers found.
The data was supposed to be anonymised when it was released in August 2016, but the report found it could easily be traced back to the owner by linking a record with known information such as date of birth and medical procedures.
The study revealed unique patient records matching the online records of seven prominent Australians, including three former and current MPs and an AFL footballer.
A team from Melbourne's school of computing and information systems warned that similar problems could exist with other de-identified government data, from the Census, tax or Centrelink, for example.
"We found that patients can be re-identified, without decryption, through a process of linking the unencrypted parts of the record with known information about the individual such as medical procedures and year of birth," said Dr Chris Culnane, who conducted the study with Dr Benjamin Rubinstein and Dr Vanessa Teague.
"This shows the surprising ease with which de-identification can fail, highlighting the risky balance between data sharing and privacy."
The researchers found they could narrow down the individual using commercial datasets, such as credit history.
A private medical insurer, for example, could then look through decades of health records for around 2.5 million people, including information about births, terminations and surgeries.
Dr Teague said that while there were good reasons to release data for research and policy purposes, the report showed there were "important technical and procedural problems to solve".
She said a "much more controlled release in a secure research environment" was required, along with "the ability to provide patients greater control and visibility over their data."
The Department of Health said in a statement that it "takes this matter very seriously" and had already referred this to the Privacy Commissioner.
"The project was halted and remains halted, and the dataset was removed immediately," a spokesperson added.
"This matter dates back to 2016 and since then the Australian Government has taken further steps to protect and manage data.
"The Department is working with the University of Melbourne and has already acted to improve its processes.
"The Department has not been aware of anyone being identified."