Online health service booking platform HealthEngine has notified a "small group" of users of a data breach in which identifying information may have been improperly accessed.
The data was accessed through HelathEngine's Practice Recognition System via the company's website.
The breach was made possible due to an error in the way the provider's website operates, which allowed hidden patient feedback information within the code of the webpage to be improperly accessed by third parties.
On 26 June, following an ABC report that claimed HealthEngine was sharing client's personal information with lawyers, a joint statement by Future Wise, Australian Privacy Foundation and Electronic Frontiers Australia condemned the online booking services provider.
As reported by sister publication Computerworld, the statement from the three privacy rights groups said that the law “must be changed to provide robust privacy protections for all Australians, such as by finally giving us the right to sue for breach of privacy, requiring explicit consent for each disclosure of medical or health data to a third party, and proper auditing of record-access that is visible to the patient.”
In response, HealthEngine CEO Marcus Tan said that media reports have created the incorrect impression that the health and personal information of users is being widely shared with third parties without their knowledge.
"This simply isn’t the case," Tan said. "Users may elect to have their details provided to third parties for referral purposes by an express opt in or verbal consent."
Now, the company has revealed that of the more than 59,600 patient feedback entries that may have been improperly accessed, close to 75 contain identifying information.
HealthEngine said it has reported the breach to the Office of the Australian Information Commissioner and the 75 customers who may have had their data accessed.
The provider also said that it has removed from its website all published patient feedback to prevent that information continues to be made accessible.
HealthEngine's acknowledgment comes just days after Ticketmaster issued a warning to Australian customers following a data breach in the UK, despite the security scare only impacting less than five per cent of customers globally.
The online events ticket reseller identified on 23 June malicious software on a customer support product hosted by Spain-based artificial intelligence provider Inbenta Technologies, an external third-party supplier to Ticketmaster.