My Health Record system's physical and information security measures used to access the My Health Record system for pathology and diagnostic imaging services did not meet the ADHA's recommended standard for passwords, according to assessments made by the Office of the Australian Information Commissioner's (OAIC). 

"In relation to physical and information security measures, while most assessment targets reported good physical security measures, most did not meet the ADHA's recommended standard for passwords used to access the My Health Record system," the OAIC said.

Detailed in the OAIC's annual digital health report [PDF], the agency did note, however, that most of My Health Record's assessment targets reported having a procedure in place for identifying and responding to My Health Record-related security and privacy risks even though there were areas for improvement in relation to recording matters relevant to security breaches.

During the 2020-21 financial year, three data breach notifications were submitted to the OAIC in relation to My Health Record. Two of the three have been finalised.

In the agency's annual report, which was also released this week, it said 975 data breaches were reported in Australia during the 2020-21 financial year. This was 7% less compared to the previous financial year, with the OAIC saying that 80% of the data breaches reported under its Notifiable Data Breaches (NDB) scheme were finalised within 60 days.

The average time taken to finalise a data breach notification was 62 days, down from 76 days in 2019