The Australian reports on a privacy case concerning Medvet, a company that conducts drug, alcohol and paternity testing:
THE largest Australian company in the field of drug, alcohol and paternity testing has been found to have breached the Privacy Act for displaying on the internet confidential, sensitive information about hundreds of customers and their orders for testing kits.
But Privacy Commissioner Timothy Pilgrim found Medvet had acted quickly last July to resolve the privacy breach, despite The Australian establishing the company had not fixed the problem after being told three months earlier that customers’ information had become readily available on Google.
The Australian reported last July that, because of IT security lapses by Medvet, the complete home addresses of customers and the type of kits ordered — from tests for paternity to the presence of illicit drugs — were visible on the internet. The privacy breach was resolved after a concerned industry figure told Google that the confidential data remained online because Medvet had failed to fix it — despite being tipped off in April last year, then again by this newspaper after its report was published. […]
The Privacy Commissioner’s office was given documents a year ago showing the whistle-blowing industry figure had first alerted Medvet three months before The Australian revealed the breach.
Email trails show the industry figure had told Medvet that customers’ information was being displayed online. However, Medvet did not fix the breach and the loophole had remained open.
In his findings, however, Mr Pilgrim said that Medvet took steps to remedy the situation “as soon as it became aware of the incident”. […]
The formal findings have raised questions about the rigour and independence of investigations by the office of the Privacy Commissioner.
Mr Pilgrim’s findings appear to adopt parts of a report by Deloitte, management consultants who were paid by Medvet to perform an audit.
Read the full article for more details.