Medvet Science Pty Ltd (Medvet), trading as Medvet Laboratories, has been found in breach of the Privacy Act 1988 (Cth) (Privacy Act) following an investigation by the Australian Privacy Commissioner.

The Commissioner opened an own motion investigation in response to media reports that names, home and work addresses of Medvet customers who had ordered paternity, drug and alcohol test kits via Medvet’s online Webstore could be accessed via a Google search.

A report on the incident commissioned by SA Health stated that 848 online orders for parentage or illicit drug testing services or products were stored in Medvet’s online web store accessible and captured via a Google cache. The testing showed that 29 of these orders had been accessed over a two month period.

Medvet said the information available via the Google cache was limited to the ‘ship to address’ from each order, details of the service/product requested and the price paid for that service/product. In that regard, no customer names, client bank account details or details of any test results were available online.

The Commissioner concluded that the accessibility of address information of Medvet’s customers on the internet constituted a disclosure of personal information. This disclosure was not permitted by the exceptions under NPP 2. This disclosure was, therefore, a breach of NPP 2.

The Commissioner considers that, at the time of the incident, Medvet did not have an adequate level of security in place to protect the personal information, including sensitive health information, it held. For that reason, Medvet did not meet its obligations under NPP 4.1 the Privacy Act.