Advise DVA immediately if veteran patients’ records are breached

Recent cyber-attacks on health providers’ records, and the consequent hacking of patients’ personal banking and other accounts, highlight the need to be ever vigilant about the security risks to patient records.

3 December 2019

DVA requires all providers to use secure data management processes to ensure the protection of DVA clients’ personal information.

Health providers who treat veteran patients are requested to review their respective DVA contractual agreements and/or DVA Provider Notes to ensure they are meeting their obligations regarding the management of DVA clients’ confidential records. This includes DVA-contracted private hospital providers and day procedure centres.

Suppliers under the Rehabilitation Appliances Program (RAP) and Booked Car with Driver (BCWD) scheme who provide services to eligible DVA clients should also review DVA’s privacy requirements in their individual Deeds of Agreement.

DVA’s requirements relate to any exchanges of patient information, management of electronic records, requests for access to records, Freedom of Information (FOI) requests, and other data-related activity.

Providers must meet patient record storage and security requirements as defined in the Australian Privacy Principles. These provide instructions on steps providers are to take in the event there is a security breach of their patients’ confidential details.

DVA further requires health providers to advise the department immediately if a security event involving DVA clients has occurred.

It is vital that measures are taken to support affected DVA clients or their dependents, given the potential vulnerability of veteran patients. A breach of their confidentiality can have serious consequences.