A man has been awarded $10,000 after his Medicare records were repeatedly intertwined with a ‘digital doppelganger’ who shared the same name and date of birth.
Privacy commissioner Carly Kind granted the man compensation while addressing complaints he lodged over an ongoing digital ‘intertwinement’ at Services Australia, the government agency which runs Medicare and Centrelink.
The complainant – who went unnamed – contacted the Office of the Australian Information Commissioner (OAIC) after repeated incidents where his Medicare records were mishandled or incorrectly updated with the address of another customer.
Speaking with Information Age, a Services Australia spokesperson said the incidents were the result of human error from “both agency staff and external providers” where the affected individuals shared the same name and date of birth.
Though caused by a simple coincidence, these ongoing mix-ups saw items for another customer’s Medicare claims appear on the man’s record and led to his COVID and influenza vaccination certificates being misassigned to another person.
The man sought remedies exceeding $200,000 for time investment, “grief and distress”, and economic losses for the administration associated with an intended name change, though Kind ultimately granted $10,000 in compensation.
“I have awarded the complainant compensation of $10,000 for distress arising from the privacy breaches, which must have been a considerable burden on his time and energy over the past decade,” said the commissioner.
Kind acknowledged Services Australia has since taken steps to mitigate the risk of intertwinement, though she ultimately determined the agency’s chief executive interfered with the complainant’s privacy from April 2015 to September 2021 by failing to take reasonable steps to protect his personal information from unauthorised disclosure.
Kind also determined the agency’s chief executive failed to take reasonable steps to ensure the personal information it used about the man was “accurate, up-to-date and relevant”, and found his sensitive information had been disclosed to another customer mistakenly and without consent.
Further to paying compensation, Services Australia’s chief executive was made to issue a written apology within 30 days of the determination.
“We acknowledge the Privacy Commissioner’s determination on this matter and we are formally apologising to the customer for the impact of these breaches,” a Services Australia spokesperson said.
More than an inconvenience
Kind noted that being mixed up with a “digital doppelganger”, while uncommon, can carry serious repercussions for those involved.
“Health practitioners may be prevented from accessing accurate records to enable the timely provision of health services,” she said.
“Further, those individuals’ ability to manage the financial aspects of health and government services may be compromised.”
Such was the case for two women named Jessica Ishak, who in 2017 experienced a plethora of billing, voting and medical problems for sharing similar birth details.
And in 2019, another woman was compelled to change her name after authorities repeatedly confused her with a stranger – reportedly resulting in $11,000 worth of her superannuation being rolled into that of her digital ‘twin’.
Home Affairs data from as recent as 2011 showed there were some “several hundred ‘twins’” in Australia who shared an identical name and birth date, while a Services Australia spokesperson said intertwined records are “extremely rare”.
Still, the issue proved significant enough for the agency to introduce a “system enhancement” to the Australian Immunisation Register that has “removed any opportunity for an external provider to attach immunisation details to an incorrect customer record”.
“To prevent further recurrence, we’ve remediated the customer’s records, applied security measures and updated staff training and operational guidance,” a spokesperson said.
‘Humiliating’ vaccination mixup
In his complaint, the man wrote of a “time-consuming and humiliating” process where during the height of the pandemic in 2021, his workplace required staff to present a digital COVID vaccination record to remain employed.
“Despite being fully vaccinated, I could not have this digital record and had to appeal to both the head of HR and to our chief executive to have the policy changed, so I could stay employed,” he said.
The next year, the man cited “hours of nervousness” over expecting to provide a digital vaccination record while travelling for work.
Although the complainant did not provide evidence of any psychological injury, Kind accepted he had “experienced distress as a result of the privacy breach” before awarding the $10,000 compensation.
The commissioner further declared Services Australia must conduct a review of its guidelines in relation to the intertwinement of customer records.
“The agency will implement all the Privacy Commissioner’s declarations in this case, including a thorough review of our guidelines, systems and processes,” a Services Australia spokesperson said.
