Companies in breach of privacy laws in sharing data from personal health records

Bodies say data was shared for up to three years between 2011 and 2018

Private companies in South Australia, in breach of privacy laws, were illegally using information from people with personal health records in marketing text messages, the privacy commissioner has found.

The private health companies BVAG, Mobitix and MOXIBF use telemarketing numbers provided by the public sector to target their customers, but have “stalled” on a voluntary agreement to stop sharing the data with third parties.

On Monday the privacy commissioner, John McMillan, issued interim orders requiring the three companies to provide the information in an unredacted form.

The data, whose origin cannot be identified, was analysed by OPP to find the private health companies were using the personal health information to send spam text messages, comments and orders to their customers’ phone numbers.

Text messages have been deemed intrusive because they usually arrive before a person has time to stop them or read the message.

Inspectors from the South Australian ombudsman found BVAG had been sharing the data with Mobitix and MOXIBF between 2011 and 2018.

It is yet to determine whether MOXIBF and Mobitix sent the information to third parties, or if it simply passed it along.

South Australia’s health minister, Stephen Wade, said although the data was not considered as sensitive and private as telephone numbers, the people whose information had been used “will be the first to know if a breach occurred”.

He said the companies had been given time to comply with the orders “before any investigations”.

Ombudsman John McMillan said he had issued interim orders against the companies but intended to continue investigating the breaches.

McMillan said: “The chief medical officer of the South Australian health service requested that the state ombudsman investigate information released by MOXIBF, BVAG and Mobitix via the Telemarketers Exchange of South Australia (TEOSA).

“These private sector organisations created a hub on TEOSA and used confidential personal health information collected from the South Australian health service, including breast cancer information, as part of marketing text messages to their customers.

“As is our statutory right to examine these issues, the ombudsman ordered the companies to hand over unredacted records relating to these incident for examination.

“BVAG, Mobitix and MOXIBF subsequently stalled on the TEOSA obligations and refused to cooperate with the ombudsman.

“The ombudsman issued a Consent to Investigate action and direct compliance orders relating to the breach. The ombudsman has issued interim orders to BVAG, Mobitix and MOXIBF to provide the information in an unredacted form. The ombudsman expects these enforcement orders to be complied with and requested an updated disclosure notice from the companies to ensure compliance.”

Department of Health specialised medical advising support [LPSS] uses the TEOSA to deliver health promotion messages to health service contacts through carrier services.

“The whole purpose of the TEOSA system is to provide safe and effective delivery of telemarketing voice, SMS and email messages,” says a department spokesman.

“TEOSA is secured by commercial confidentiality. Data collected is only used for telemarketing and this is used for direct marketing to members of our public health care service.

“We are working with the ombudsman to resolve this matter as soon as possible.”

The National Privacy Commissioner, Elizabeth Broderick, has set an April deadline for companies to sign up to the fair-use guarantee, which requires them to remove data from a website if it is already publicly available on a site, without permission.

Leave a Comment