The Health Department has removed Medicare data from its website amid an investigation into whether personal information has been compromised.
Australian Privacy Commissioner Timothy Pilgrim has launched an investigation after academics found it was possible to figure out some service provider ID numbers in the Medicare Benefits Schedule and Pharmaceutical Benefits Schedule datasets, published on August 1.
The University of Melbourne academics said they notified the department of the issue on September 12, adding that the data was then "immediately removed".
In a joint report, Drs Chris Culnane, Benjamin Rubinstein and Vanessa Teague described the incident as "serious".
"If we can reverse-engineer the details in a few days, then there is a risk that others could do so too," they stated.
They said the dataset was created by selecting a random 10 per cent of Medicare patients, whose claims from 1984 to 2014 were included.
Health Minister Sussan Ley has apologised for the breach after the department admitted on Thursday that de-identified medical data it released in August was able to be decoded.
The department was alerted on September 8 to the breach by Melbourne University researchers who were able to decrypt some of the information.
Doctors warn it's possible individual patients could be identified.
Ms Ley insists government security experts have advised there was no public release of confidential information.
No information about patients or health service providers was made public, she said.
"While the academic team has shown that the health service provider numbers can be decrypted, this information has not been published or disseminated," She told the Royal Australian College of General Practitioners annual conference in Perth.
"It's certainly something we take seriously and we apologise for any concern this may cause you as providers.
"However what we cannot and must not do is shy away from using data to improve health outcomes for patients and clinical practice."
Ms Ley insisted the government had worked swiftly to tighten privacy laws, with Attorney-General George Brandis rushing on Wednesday to amend legislation making it illegal to re-identify de-identified government data without authorisation.
But Dr Nathan Pinskier, chair of the RACGP's expert committee on e-health, says the retrospective changes will do nothing to retrieve sensitive information already made public.
He said the RACGP expressed concern about the potential for the data to be decoded when it was initially released but was never consulted by the Health Department.
"If you can reaggregate it, even though it's illegal to do so, somebody probably will," he said.
"There is a possibility individual consumers could be identified - it could be potentially devastating."
"This was rushed, they didn't do a proper evaluation, and if they'd done their proper threat risk assessment they probably would have not released information in that form."
Dr Pinskier believes the data release by the department last month was a knee-jerk reaction after the government cut funding to other primary care research programs.
Ms Ley said the de-identified Medicare and Pharmaceutical data were removed once the department was alerted and remains offline.
The privacy commissioner has been notified and investigations are under way.
Opposition health spokeswoman Catherine King demanded the government explain why it had to be alerted to the breach by university researchers.
"The health minister has given no assurances that the health providers who are affected by this breach will be told about it," she said.
"Australians deserve an explanation of how this health data was breached."
