Thousands of identifiable NT patient health files sent to overseas-based software vendor in government data breach

The CCSRP – which sits within the Department of Corporate and Digital Development — was established in 2017 to integrate four NT Health patient record systems into one, at a cost to taxpayers of $259 million.

The new health record system, named "Acacia", uses software purchased from Intersystems.

The records of 50,616 patients were sent from NT Health to the CCSRP.

Then, as part of the arrangement, 3,277 identifiable patient records were transferred from the CCSRP to Intersystems.

That is according to Intersystems, which was asked by the CCSRP for an audit of the transferable data prior to the incident report.

But experts said it was not clear whether every file sent to Intersystems was found.

Transfer of data a 'systemic issue'

The incident report was commissioned by NT Health in 2019 to quantify the scale of data transferred.

The report established four criteria to evaluate the clinical risk associated with each record sent between NT Health, CCSRP and Intersystems.

Two records transferred from CCSRP to Intersystems were classed as "very-high risk", with 476 regarded as "high risk".

To be ranked in these two "risk rating" categories, a patient's full name had to be visible, with "highly sensitive" or "sensitive" information present.

Patient items included psychology reports and psychiatric facility visits, termination of pregnancy or stillbirth records, and electroconvulsive therapy — also known as electric shock therapy — records.

Oncology treatment location visits, organ donation and receipt details were also transferred.

All other patient items were either classed as "medium risk" or "low risk", with the report stating the "transfer of identifiable data was a systemic issue and not performed by a single malign body".

The incident was never made public by then-health minister and current Chief Minister Natasha Fyles.

In a statement to the ABC, Ms Fyles said the incident was referred to the NT Information Commissioner.

Intersystems — which has its headquarters in the United States but has offices across 26 other countries — didn't respond to questions from the ABC.

'How far have the files been spread?'

The incident report also revealed that no data governance framework was set by either NT Health or the Acacia project team prior to the transfers.

Cyber security expert at the University of New South Wales Professor Richard Buckland said Northern Territory residents had a right to be worried.

"Who knows if [Intersystems] found all the files that were actually sent?"

Other cyber security experts have told the ABC that normal practice when transferring health data is to undertake privacy impact and security impact assessments.

"There'd be a data governance plan," Professor Buckland said.

"They would de-identify [the data], it would have been encrypted, and there would have been processes in place to control who can look at it, and for how long, and it would have been securely deleted after.

"I suspect if a data governance plan had been worked out, they wouldn't have even used live data.

"They would have made mock data based on live data, because there is no reason, in setting up a system, to use live data — you can make close enough replicas."

Risk of data hack

Sending identifiable patient health data to a software vendor also created an opportunity for it to be hacked, Professor Buckland said.

"The risks that people face are the same risks we saw with Medibank, that there's confidential data that you might be embarrassed about being released," he said. 

"The big danger is if you were in rehabilitation or had electroconvulsive therapy … and that gets released into the public, then that will be visible to anyone who googles your name in the future."

In a statement, NT Health said the files have been permanently deleted and internal controls have since been strengthened.

If you're unable to load the form, you can access it here.