Highly sensitive information collected for Covid-19 contact tracing has been put at risk due to a weak system, a scathing report has revealed.
Western Australia’s Covid-19 contact tracing system is plagued with “significant weaknesses” that put people’s highly sensitive personal and medical information at risk, according to a damning report.
As of March 2022, WA Health’s Covid-19 Unified Public Health System (PHOCUS) had information on 128,600 Covid-positive individuals, 41,400 close and casual contacts and 50,400 travellers.
Although no data leaks were found, there was no way to detect “inappropriate modifications or eavesdropping”.
“I expected to find robust access controls for such sensitive medical and personal information, but we found a number of significant weaknesses,” Auditor General Caroline Spencer said in her report tabled in Parliament.
“WA Health provided an external vendor with unnecessary access to the system, and it failed to adequately record and monitor who accessed the information for inappropriate changes or eavesdropping.”
Similar concerns were raised in the SafeWA 2021 audit report.
Ms Spencer said WA Health had given the community little notice of the types of personal information collected by PHOCUS and that the information was stored indefinitely.
“This lack of transparency can have unintended consequences, including an erosion of trust in government institutions,” she said.
- WA Health uses personal information from a variety of sources but has not clearly communicated it to the community;
- WA Health needs to improve controls to protect information in PHOCUS;
- A third-party provider has ongoing access to the information;
- Data encryption and masking not used;
- Access to information is not properly logged;
- Two system administrator accounts, belonging to a former third-party vendor, were granted access more than 12 months later;
- Malicious files could be downloaded;
- Security requirements are absent from third-party vendors; and
- There is a risk of inaccurate data due to poor management.
WA Health responded to many audit findings and accepted all recommendations.
- Improve transparency around the sources from which they collect personal information and how it is used;
- Protect information in PHOCUS by restricting access to medical records, data encryption and masking, effective user access controls, logging and monitoring of view and edit access, and limiting file downloads to only approved types;
- Improve data quality processes; and
- Manage risks in supplier contracts.
In a statement, the general manager of health support services, Robert Toms, said the contact tracing system was complex.
“I can assure the WA community that the confidentiality of personal information is our priority and that no personal data has been leaked,” he said.
“Since April 2020, when the system was first launched, it has remained secure and has multiple layers of defense to achieve the highest levels of security.
“Any worker with access to the system must be authorized to do so.”
Chief Health Officer Andy Robertson said the system had been an essential tool for the state, especially at the height of the pandemic.
“Across the country, WA was an early adopter of this technology, which has been key to our response to the pandemic, and a number of other jurisdictions have followed suit,” Dr Robertson said.
“Since its introduction in April 2020 until early May 2022, over 470,000 cases of Covid-19 have been managed through the contact tracing system.
“WA Health has used the system effectively to manage multiple outbreaks through 2020 and 2021, which has allowed WA to avoid community transmission of the most severe variants of Covid-19 such as Delta.”