The Sydney Morning Herald reports on a medical data privacy breach in Australia:
Australians who bought drug and paternity tests from one of the country’s largest providers are dealing with a serious privacy scare after details of their orders were found to be available online.
Medvet, owned by the South Australian government, appears to have failed to lock down its online order system and prevent it from being crawled by Google. Hundreds of orders of tests from people all over Australia can be found by searching Google for a specific term, which Fairfax Media has chosen not to publish.
The privacy breach was revealed over the weekend and, while the orders have been pulled from Medvet’s site, all were still accessible through Google’s cache as at noon today. The invoices detail specifics on the type of paternity test ordered or the specific drug that the person is being screened for. […]
The Privacy Commissioner, Timothy Pilgrim, has begun an investigation into the matter including claims Medvet knew about the privacy breach since April. […]
Medvet managing director Greg Johansen said in a statement the company “deeply regrets that its its web store security has been compromised”.
Despite the use of the term “compromised” Medvet has yet to provide evidence that there was an attack on its systems.
Rob McAdam, chief executive of computer security firm Pure Hacking, said that until a proper investigation was completed “it’s not possible to ascertain whether their site was maliciously targeted or if security controls simply did not prevent Google from indexing the sensitive information”.
In an update, the Herald reported, “Medvet says it has now removed all private order information from Google’s cached search results.”