Government shared veterans’ confidential medical data

31 Jul 2023

Identified medical records belonging to 300,000 veterans, widows and others connected to the Department of Veterans’ Affairs have been routinely provided to a university for cost-saving research without the knowledge or consent of the people involved.

The practice, ostensibly to deliver the Veterans’ Medicines Advice and Therapeutics Education Services (MATES) program, has been running for almost two decades, but the Department of Veterans’ Affairs (DVA) has, at least since 2017, wilfully ignored concerns raised by veterans who discovered only by accident that their sensitive data was being given to a third party.

 In the six years since a complaint was made by a former serviceman, the department has refused to halt the data handover, asserting it was within its rights to do what it wanted with the medical records and did not need the consent of its clients to continue the program.

The files transferred to the University of South Australia, which is contracted to run the MATES program, are extensive and cover “hospital records including diagnosis and procedure … pharmacy, medical and allied health records including [details of] doctor visits, radiology and pathology”. Alongside names, gender, date of birth and family status, the records also include pregnancy terminations, sexual health treatments, alcohol and drug addiction treatments and details of involuntary mental health treatment orders or other services. These records are provided to the university every month.

Six years after an initial complaint was made to the DVA, the Office of the Australian Information Commissioner (OAIC) found in April that the department had “interfered with the complainant’s privacy” and breached two key elements of the Australian Privacy Principles (APPs). It awarded the complainant $5000 in compensation.

“They essentially have constructed a mass health surveillance database of identified medical records that they have been disclosing without de-identification to other entities and without telling the people those records are about, or getting any informed consent…”

In dealing with the complaint, however, it appears the DVA was dishonest with both the client and the OAIC. Submissions made throughout the investigation by the department claimed “participants in the MATES program are aware that they can, at any time, revoke their consent to use and disclosure of their personal information”.

When pressed on what evidence the Information Commissioner had to rely on to uphold this claim from the department – the complainant had never seen any such notices – the DVA quietly updated its website to include for the first time a “privacy collection notice” in relation to the MATES program.

This was more than a month after the request for evidence and weeks before the final decision of the OAIC.

Archives of the DVA website show no such privacy collection notice existed before March 14 this year.

The OAIC required the department to apologise in writing to the complainant within a week of the decision. A month later, the apology was finally made by the first assistant secretary, Traci-Ann Byrnes.

“The Department should have given effect to your withdrawal of consent and respected your desire not to participate in the MATES program,” she wrote on May 26.

“I am sorry that did not happen and for the resulting interference with your privacy. The Department recognises that it is in a position of trust in the collection and handling of your personal and sensitive information and its failure to properly action your withdrawal of consent fell short of the high standards expected of the Department.

“I deeply regret and understand the loss of trust this has caused.”

The University of South Australia’s Quality Use of Medicines and Pharmacy Research Centre is contracted to deliver the MATES program using data provided by the DVA that has not been de-identified. The program uses 15 years of historical health data to “evaluate treatments and treatment approaches, identify problems with medications or combinations of medications and support evidence-based education for doctors and health practitioners”.

When MATES was launched at the university in 2004, the Howard government Veterans’ Affairs minister, Danna Vale, said the smaller precursor program it was replacing had “delivered an estimated saving of up to $40 million in drug and hospitalisation costs”.

In the past financial year, the Department of Veterans’ Affairs administered $3.81 billion in healthcare payments to its clients, including veterans and war widows.

“For the puffery that the department put out about improving health outcomes, the objective overwhelmingly of the MATES program appears to be one of costs reduction and control,” a source who spoke to The Saturday Paper on condition of anonymity said.

“But the issue here is not the department toe-cutting medical costs, but that they essentially have constructed a mass health surveillance database of identified medical records that they have been disclosing without de-identification to other entities and without telling the people those records are about, or getting any informed consent from them to do so.

“And the department seems well aware it should have done so but deliberately obscured what it was doing because it feared that if it did run the MATES program on a legitimate opt-out basis that it would affect its surveillance capabilities.”

Indeed, even the university work goes further than simply administering the MATES program. It uses the DVA medical datasets to conduct other research and has published a series of papers over years that claim ethics approval “was obtained from the Department of Veterans’ Affairs human research ethics committee and the University of South Australia ethics committee”.

The Saturday Paper asked the University of South Australia if its ethics approval process required researchers to obtain approval from study subjects either directly or by seeking assurances from the DVA, and if this had in fact happened.

The university declined to respond, referring questions to the department. Both refused to advise whether the records of those who have opted out had been destroyed by the university.

Submissions made by the complainant in the matter raised with the OAIC noted the “extremely sensitive medical information” provided en masse to the University of South Australia was precisely the kind of information that was increasingly seen as valuable to hackers, both here and internationally.

“The recent Medibank hack has shown [this data has] a real potential to be weaponised against the clients … and warrants higher protection,” the submission says.

On Wednesday, the ABC revealed scammers had used credentials stolen from the Medibank and Optus data breaches to siphon more than $550 million from the Australian Taxation Office. Private medical information held by Medibank was released to the dark web after the company refused to pay a bribe.

Universities are also priority targets for hackers and the University of South Australia was hit by a serious attack in mid-2021, which resulted in “major” disruptions to IT networks.

In her determination of the complainant’s case, Information and Privacy Commissioner Angelene Falk declined to award aggravated damages.

“A breach of the APPs on its own, such as a failure to obtain the complainant’s consent, does not automatically mean that this conduct is high-handed, malicious, insulting or oppressive,” she said.

“While the respondent’s failure to properly process the complainant’s revocation requests may raise an inference of improper conduct, it could equally be explained by the respondent’s oversight or neglect.

“Without further information, I am not satisfied that the respondent has behaved in a way that is high-handed, malicious, insulting or oppressive.”

Falk appeared to accept statements from the DVA that it had acted in good faith and that it had provided clients with a way to opt out of the data collection when it had not done so.

“The Department has provided no evidence it has communicated to individuals – whose medical information is being collected and disclosed to the MATES program – reasonable notice ‘that they can, at any time’ opt out of these MATES disclosures, or any evidence that the Department is ‘fully and promptly’ actioning requests from individuals to be opted out of these monthly MATES disclosures made by the Department,” the complainant said in submission to the commissioner.

“Such claims must be assessed by claims previously made by the Department to the OAIC, such as … claims it would make an apology to or engage with the complainant.

“Despite being made to the OAIC [these] were never carried out nor delivered by the Department, and have solely been made to mislead the OAIC as to the Department’s persistent high-handed conduct.”

A spokesperson for the OAIC told The Saturday Paper in a statement this particular complaint was made by an individual and the office was unable to consider “broader matters”.

“The OAIC has to make many decisions about how it pursues investigations and how it deploys its resources,” the statement said.

We provide guidance on how regulated entities should act in accordance with the Australian Privacy Principles, and they should be in no doubt what is required.”

A DVA spokesperson said veterans receiving gold, white or orange cards have been made aware “for more than five years” of a general notice that their personal information is being collected in order to “administer and process treatment and payments, and to provide services to you”.

The generic terms and conditions do not mention the MATES program or that the data supplied is fully identified.