PHA CEO Dr Rachel David speaks with ABC Radio Brisbane on healthcare data privacy

Station: ABC Radio Brisbane
Program: Breakfast
Date: 16/1/2023
Time: 7:13 AM
Compere: Craig Zonca and Loretta Ryan
Interviewee: Dr Rachel David, CEO, Private Healthcare Australia


LORETTA RYAN: Okay, when was the last time you tried to get a quote for health insurance? Were you asked to provide your contact details before you could find out just how much the cover you were looking for into costs?
CRAIG ZONCA: Well, yeah, you try to shop around to get the best price possible, but then something unusual happened for our Breakfast producer extraordinaire, Caitlin Sheehan. Morning, Caitlin.
CAITLIN SHEEHAN: Good morning, team.
CRAIG ZONCA: So what happened?
CAITLIN SHEEHAN: So I got a really weird email this week from AHM, which I immediately thought was a scam email just in, you know, as they go around. But it said your details of your impacted data breach. And I’m like, huh? I’m not with AHM. That’s very bizarre. I’ve never been with AHM or Medibank or any of their subsidiaries. I was very confused and as I continued to read, it basically said that I- my details were provided to obtain a quote years ago now, when I was shopping around for health insurance, and that my data was impacted. So based on our investigation, it says we currently believe the following types of data have been stolen, including first name and surname, gender, date of birth, email, address, and phone number.
LORETTA RYAN: Okay. How many years ago, though, did you…?
CAITLIN SHEEHAN: At least three.
LORETTA RYAN: Three years ago?
LORETTA RYAN: So they had this information?
CRAIG ZONCA: And this was just a quote you had asked for?
CRAIG ZONCA: So AHM, part of the Medibank team of companies that were affected by this data breach last year.
CRAIG ZONCA: And you found out this week…
CAITLIN SHEEHAN: [Interrupts] This week.
CRAIG ZONCA: …that you’re one of those customers slash not a customer.
CAITLIN SHEEHAN: [Talks over] I’m not a customer. Yeah. So where do I fit into all of this? It’s very bizarre.
LORETTA RYAN: Do you know, it’s funny. Sometimes some places say to you, ah, you know, your information is private. We won’t keep this or we won’t pass it on. So nothing ever was said to you about the information that they were taking from you for the quote?
CAITLIN SHEEHAN: No. And to be fair, like, I don’t think- I can’t remember back that far, but I don’t remember, like, selecting, like, anything saying, you know, click on this for retaining or anything like that. So I’m just wondering how long do they keep my information for, and what are they using it for?
CRAIG ZONCA: So a couple of years you reckon it’s been. Thank you very much for that, Caitlin, because on the line we have Dr Rachel David, who is the CEO of Private Healthcare Australia. That’s the sector’s peak representative body. Rachel, good morning to you.
CRAIG ZONCA: What are the guidelines? Say, in the case of obtaining a quote and that personal information you provide, how long is that generally kept for?
RACHEL DAVID: Well, look, it does vary between organisations and I think for a quote for someone who did not go on and become a health fund member, I do think a couple of years sounds a little excessive. And I think in light of the issues that have occurred with the data breach, this is one of the things that health funds will be reviewing.
CRAIG ZONCA: Yeah. Are there any strict guidelines about how long your information can be or should be kept?
RACHEL DAVID: It is different for people that might be seeking information from health funds versus health fund members.
RACHEL DAVID: For health fund members or people that have used their health insurance, they’re subject to the rules around medical negligence or some- or the rare situation in which something goes wrong and there’s been some times a patient might need to sue a doctor or a hospital. And in that situation, that data needs to be kept to protect patients and to protect consumers for seven years for an adult and 25 years to a baby who’s born. And that’s because obstetrics, risky surgery involving implants, these are all things that are mostly covered by- in many cases, covered by private health insurance. And so to fully protect people, to ensure that there’s a record of what’s happened to them, they’re subject to the rules around medical negligence or the medico-legal rules that ensure that that information remains available should patients need it in future for a quote.
RACHEL DAVID: The reason that someone might retain the information, say, for a few weeks is to make sure that a real person gets in touch with that customer to discuss some of the complexities of private health insurance – so that a real call centre person rings up and says, look, are you sure you fully assessed the products and that you’re getting the right things for you? You know, here’s a reminder and so forth. But that’s something that should really only take a couple of weeks. I’m not sure why the data was held for- it sounds like years in this case, but I’m pretty sure that’s one of the first things that the funds will be reviewing in light of the data and cybersecurity issues that occurred last year.
LORETTA RYAN: When obtaining a quote, what sort of data or what sort of information do they require?
RACHEL DAVID: Well, look, I think the- they- probably one of the main things is the person’s age, because that can cause the price to vary, and then some brief information that might indicate what the person’s health needs are and what they’re looking for. So are they looking to be covered for what they call extras, which is things like physio and dental, or are they looking to be covered for something that might require an admission to hospital, like having hip surgery or having a baby? And so, you know, at the very least the person’s age and where they live, you know, because the prices vary between different states and, you know, and then a little bit more information about what sort of cover they’re looking for.
CRAIG ZONCA: Just on this particular case, AHM is part of the Medibank slate of companies and affected some customers in the data breach of last year, and even some who have requested a quote from years ago, does that even meet- under the Australian Privacy Principles? And in that they say: the entity- oh yeah, so when the entity no longer needs personal information, they must take reasonable steps to destroy the information or ensure that it is de-identified. So is this a broader breach of those principles in your mind, Rachel?
RACHEL DAVID: Look, I don’t know the specifics of the case, but one thing I think I’m absolutely clear on is this is one thing that, not just health funds, but pretty much all businesses in light of what’s happened last year, it’s going to be looking at very carefully. The fact that, you know, holding on to this information, maybe not even doing anything with it is pretty much not on given the risks that build up over time from security breaches. And I think that, you know, whether there was a privacy principle issue here or not, I think that this is one of the first things that Medibank and some of our other health funds will be looking at in light of what’s happened.
CRAIG ZONCA: And Rachel, given what happened at Medibank, is it turning people off private health insurance at all?
RACHEL DAVID: No, not really. At the moment, there are a lot of other things going on in the economy that’s actually meant that the market for private health insurance is growing and has grown for the last nine quarters. One of the main things is some of the problems that our public hospitals are facing after the pandemic and the very long waiting lists and the issues with emergency department ramping which have occurred, and certainly people who have been told they need surgery are joining in much larger numbers than before because of waiting lists and some of the problems with the public system.
LORETTA RYAN: Well, today, isn’t it, that the premiums are being increased for Medibank and AHM. What should customers be aware of this year when it comes to price increases?
RACHEL DAVID: Well, this is an increase that was put off from last year as a consequence of both the pandemic and the fact that the cybersecurity breach occurred. So it was a planned increase last year that didn’t happen. I think if anybody at all is concerned about the cost of their health insurance, there are a lot of sites that enable you to compare different products, but the most reliable one is one run by the Federal Government which is at- called, and that has all the health fund products on it. So it’s not- like, some of the other commercial sites might only compare a small range, but this one,, has all of them. And so a good starting point is that site. And then you can always ring your health fund as well to ask for other options that might be a bit cheaper that might also meet your needs.
CRAIG ZONCA: Can certainly pay to shop around. Rachel, thanks for your time this morning.
RACHEL DAVID: No problem.
CRAIG ZONCA: Dr Rachel David, who’s the CEO of Private Healthcare Australia.
* * END * *