But Privacy Commissioner Timothy Pilgrim found Medvet had acted quickly last July to resolve the privacy breach, despite The Australian establishing the company had not fixed the problem after being told three months earlier that customers' information had become readily available on Google.

The Australian reported last July that, because of IT security lapses by Medvet, the complete home addresses of customers and the type of kits ordered -- from tests for paternity to the presence of illicit drugs -- were visible on the internet. The privacy breach was resolved after a concerned industry figure told Google that the confidential data remained online because Medvet had failed to fix it -- despite being tipped off in April last year, then again by this newspaper after its report was published.

A technology analyst at the time described the breach and the subsequent handling as a "face palm, forehead-slap, hang your head in shame howler" as Medvet had left its online customer accounts system open to being indexed by Google, and "the search engine's crawlers have dutifully recorded customer invoices including addresses and, in some cases, names".

The Privacy Commissioner's office was given documents a year ago showing the whistle-blowing industry figure had first alerted Medvet three months before The Australian revealed the breach.

Email trails show the industry figure had told Medvet that customers' information was being displayed online. However, Medvet did not fix the breach and the loophole had remained open.

In his findings, however, Mr Pilgrim said that Medvet took steps to remedy the situation "as soon as it became aware of the incident".

He said a forensic investigation by Medvet's consultants, Deloitte, had concluded "Medvet management responded quickly and appropriately, referring all concerns back to the software provider".

Mr Pilgrim found "that Medvet acted swiftly to identify the security risks as soon as it became aware of the incident". "The accessibility of address information on the internet constituted unlawful disclosure of personal information" in contravention of the Privacy Act.

Mr Pilgrim found that Medvet, owned by the SA government, did not have reasonable steps in place to protect personal information.

The formal findings have raised questions about the rigour and independence of investigations by the office of the Privacy Commissioner.

Mr Pilgrim's findings appear to adopt parts of a report by Deloitte, management consultants who were paid by Medvet to perform an audit.

The industry figure was neither interviewed nor contacted by the Privacy Commissioner in his "own motion" investigation.

Mr Pilgrim said the Deloitte audit showed that while the details of orders were online, "no customer names, client bank account details or details of any test results were available online".

Asked to respond, Mr Pilgrim said yesterday: "I used the Deloitte report to confirm evidence gathered from other sources".

He said Medvet became aware of the original incident in April and this was rectified with a software patch.

He said his investigation was triggered by another similar incident that was detected and reported in July last year.

"This related to a second system failure in June 2011 for which another patch was issued and a further incident in July 2011. In response to these later incidents SA Health commissioned Deloitte to undertake an investigation of the Medvet customer ordering system and associated security controls. I found Medvet in breach of the Privacy Act . . . "

Mr Pilgrim's findings stated it was "clear from the Deloitte forensics report that multiple security flaws existed in software provided to Medvet, which had put individuals' personal information, including sensitive health information, at risk of being compromised".

He said that "at the time of the incident, Medvet did not have an adequate level of security in place to protect the personal information, including sensitive health information, it held".

Medvet declined to comment yesterday and said it would not be releasing the 50-page Deloitte report. A Deloitte spokesman said: "We are not able to comment on client work. We are absolutely confident in the report commissioned by and provided to the client."

Hedley ThomasNational Chief Correspondent

Hedley Thomas is The Australian’s national chief correspondent, specialising in investigative reporting with an interest in legal issues, the judiciary, corruption and politics. He has won eight Walkley awards including two Gold Walkleys; the first in 2007 for his investigations into the fiasco surrounding the Australian Federal Police investigations of Dr Mohamed Haneef, and the second in 2018 for his podcast, The Teacher's Pet, investigating the 1982 murder of Sydney mother Lynette Dawson. You can contact Hedley confidentially at thomash@theaustralian.com.au

Hedley Thomas

More related stories

Podcasts

How smooth swindler stole $7m

A major investigative series will uncover tens of millions of dollars worth of frauds committed by Hamish McLaren | LISTEN

Read more

Aviation

Bestjet’s collapse exposes law flaws

Thousands of travellers have been left worse off because consumer protection laws were scrapped several years ago.

Read more