House of Assembly - Fifty-Fifth Parliament, First Session (55-1)
2023-10-31 Daily Xml

Contents

Personify Care Cybersecurity Incident

Mr COWDREY (Colton) (14:41): My question is to the Premier. When was the Premier informed of the data security incident impacting SA Health patients and what steps has the Premier taken since being informed? With your leave, sir, and that of the house, I will explain.

Leave granted.

Mr COWDREY: It was reported over the weekend that the patient records including details of more than 12,000 people were accessed by a non-authorised third party and medical records of 120 people had been deleted on 16 October.

The Hon. C.J. PICTON (Kaurna—Minister for Health and Wellbeing) (14:42): As has been documented, as was released proactively by the government on the weekend, Personify Care is a company that provides services to hospitals and health services right around the country. It's based here in South Australia. It has been used by SA Health since 2020 to provide patient portal services where people who might be going for appointments can input their information. They have had an issue whereby SA Health has been one of a number of clients who have been impacted by an issue where a human error from one of their staff has resulted in access being allowed that enabled the deletion of one of their files and folders that contained SA Health information. We are not aware of the other organisations that have been involved in that.

This is something that I believe happened on 17 October. I was fully briefed about this on Tuesday last week after some initial notifications that something had happened but without the full information being available on the Friday before that. We then worked very hard over the next few days to put together the full information to make sure we had the full comprehensive impact in terms of patients of which a small number comparatively of 121 had patient information from medical information as part of that. A larger number of some 12,000 had information such as name and contact details and phone number as part of that information.

There is not evidence that we have before us to say that it was accessed or copied. The only evidence that we have from that third party, Personify Care, is that it is deleted. Of course, we made the appropriate notifications to DPC as part of that work over those busy few days last week.

We thought it was important that we go proactively to give that information over the weekend as soon as that information was ready, and we have also been in the process of emailing and sending letters to people who have been affected by that and giving them the full information. This is something that Personify Care themselves are investigating, but we are also doing our work—from SA Health's perspective—to investigate and review the circumstances, and review if there are other things that need to be put in place to prevent such an occurrence happening in the future.