The company, Medvet, Australia's largest for drug and alcohol testing in the workplace, did not perform a deletion exercise of its customers' cached information on Google, despite having pledged on Friday that it was doing everything possible to overcome a serious privacy breach.

Customer information including names, complete home addresses and the type of test kits ordered could still be accessed on Google late on Saturday.

The data breach was closed only after a concerned industry figure, unrelated to Medvet but alarmed at the problem, told Google that the confidential data remained online.

South Australia's Rann government, which owns the company, announced it would push for an independent review into the privacy breach. The government denies having any knowledge of the company's internet security flaws before The Weekend Australian reported that customers' personal details could be accessed.

SA Health Department chief executive David Swan said he spoke to Medvet chairman Terry Evans several times over the weekend and confirmed the company would allow external auditors to examine its systems.

The audit would examine how the privacy breaches happened, who saw the data and when company staff learnt of the problem.

Privacy Commissioner Timothy Pilgrim will investigate Medvet's original internet security breach and the subsequent failure of the company to immediately remove the hundreds of customers' orders that it knew were cached by Google and online.

Medvet will be asked to explain what actions it took when it first became aware in April of a security lapse, and what steps were taken on Friday after The Weekend Australian alerted Medvet managing director Greg Johansen that customers' details were on Google.

Google gives comprehensive online advice on how to remove confidential data including cached pages, and Medvet could have deleted all the offending material on Friday.

Google advises: "The URL removal tool is intended for pages that urgently need to be removed - for example, if they contain confidential data that was accidentally exposed."

IT experts said Medvet should have immediately followed the online steps that show how to "remove Google's cached copy of a page that has already changed on the website or stop Google from showing results for a page that has been taken down completely".

Telecommunications analyst Richard Chirgwin described the breach and the subsequent handling by Medvet as a "face palm, forehead-slap, hang your head in shame howler".

He said it appeared that as Medvet had left its online customer accounts system open to being indexed by Google, "the search engine's crawlers have dutifully recorded customer invoices including addresses and, in some cases, names".

The breach means confidential orders for sensitive tests to determine matters such as the parentage of a child could or the presence of drugs could have become known to anyone.

ADDITIONAL REPORTING: MARK SCHLIEBS

Hedley ThomasNational Chief Correspondent

Hedley Thomas is The Australian’s national chief correspondent, specialising in investigative reporting with an interest in legal issues, the judiciary, corruption and politics. He has won eight Walkley awards including two Gold Walkleys; the first in 2007 for his investigations into the fiasco surrounding the Australian Federal Police investigations of Dr Mohamed Haneef, and the second in 2018 for his podcast, The Teacher's Pet, investigating the 1982 murder of Sydney mother Lynette Dawson. You can contact Hedley confidentially at thomash@theaustralian.com.au

Hedley Thomas

More related stories

Opinion

Miners change tune on climate change

Peak mining industry body The Minerals Council of Australia has joined the fight on climate.

Read more

National Affairs

Labor to turn up heat on Taylor

Labor will use the final two weeks of parliament to heap pressure on Energy Minister Angus Taylor.

Read more