
Incident: Thousands of identifiable Northern Territory patient health files sent to overseas-based software vendor in government data breach | ABC News (Australia)

Australian Medical Data Handling Incident, 25 May 2023
Thousands of identifiable Northern Territory patient health files sent to overseas-based software vendor in government data breach
NT Health says the onus is on individuals to check if the privacy of their medical records has been breached.
Source: Thousands of identifiable Northern Territory patient health files sent to overseas-based software vendor in government data breach | ABC News (Australia)
Source: Patients told to contact NT Health following privacy breach of identifiable medical records | ABC News (Australia)
View more incidents from Medical and Health Care sector and other reports from Northern Territory.
The Northern Territory government has breached the privacy of thousands of public health patients by sending identifiable medical records to a software vendor with offices in Europe, South America and China.
Northern Territory Health says the onus is on individuals to check if the privacy of their medical records has been breached by the government.
A preliminary incident report, obtained by the ABC through freedom of information laws, shows the extent of identifiable patient data transferred between NT Health, the Core Clinical Systems Renewal Program (CCSRP) and global software vendor Intersystems between 2018 and 2019.
On Thursday, the ABC revealed that more than 50,000 patients had their identifiable health files sent between two NT government departments in 2018 and 2019 as part of a software system upgrade.
More than 3,000 of those records were then sent to global software vendor Intersystems, which has offices in 27 countries, including in Europe, South America and China.
Some patient items were classed as having very-high or high clinical risk, such as psychology reports and psychiatric facility visits, termination of pregnancy or stillbirth records, and electroconvulsive therapy — also known as electric shock therapy — records.
Chief Minister Natasha Fyles, who was health minister at the time, never made the privacy breach public. In a statement to the ABC, Ms Fyles said the incident was referred to the NT Information Commissioner.
The incident report also revealed that no data governance framework was set by either NT Health or the Acacia project team prior to the transfers.