Western Australia’s Covid-19 contact tracing system is plagued with “significant weaknesses” that put people’s highly sensitive personal and medical information at risk, a damning report has found.
As of March 2022, WA Health’s Public Health Covid-19 Unified System (PHOCUS) held information about 128,600 Covid-positive people, 41,400 close and casual contacts and 50,400 travellers.
Although no data leak was found, there was no way to detect “inappropriate changes or snooping”.
“I expected to find robust access controls for such sensitive medical and personal information, however we found a number of significant weaknesses,” Auditor-General Caroline Spencer said in her report tabled in parliament.
“WA Health has provided an external vendor with unnecessary system access, and it did not adequately log and monitor who had accessed information to detect inappropriate changes or snooping.”
Similar concerns were raised in the 2021 SafeWA audit report.
Feel like giving the politicians a rating this Federal election?
Our Pollie Rater lets you do just that.
Ms Spencer said WA Health had told the community little about the types of personal information PHOCUS collected and that the information was stored indefinitely.
“This lack of transparency can lead to unintended consequences, including erosion of trust in government institutions,” she said.
- WA Health uses personal information from various sources but has not clearly communicated this to the community;
- WA Health must improve controls to protect information in PHOCUS;
- A third party vendor has ongoing access to information;
- Data encryption and masking not used;
- Access to information not adequately logged;
- Two system administrator accounts, belonging to a former third-party vendor, had access more than 12 months later;
- Malicious files could be uploaded;
- Security requirements are missing from third party vendors; and
- There is a risk of inaccurate data due to poor management.
WA Health addressed many of the findings during the audit and has agreed to all of the recommendations.
- Improve transparency around the sources they collect personal information from and how it is used;
- Protect information in PHOCUS by restricting access to medical records, data encryption and masking, effective user access controls, logging and monitoring of view and edit access, and restricting file uploads to only approved types;
- Improve data quality processes; and
- Address risks in vendor contracts.
In a statement, Health Support Services chief executive Robert Toms said the contact tracing system was complex.
“I can assure the WA community that confidentiality of personal information is our priority and that no personal data has been released,” he said.
“Since April 2020, when the system was first launched, it has remained secure and has multiple layers of defence to achieve the highest levels of security.
“Any worker who has access to the system must be authorised to do so.”
Chief health officer Andy Robertson said the system had been a critical tool for the state, especially during the height of the pandemic.
“Across the nation, WA was an early adopter of this technology, which was key to our pandemic response, and a number of other jurisdictions followed,” Dr Robertson said.
“Since it was introduced in April 2020, to early May 2022, more than 470,000 Covid-19 cases have been managed through the contact tracing system.
“WA Health used the system effectively to manage multiple outbreaks through 2020 and 2021, and this allowed WA to avoid community transmission of the more severe Covid-19 variants such as Delta.”