The personal health information of 317 people applying for Australian visas was accidentally emailed to a member of the general public, an ABC investigation has revealed.

Key points: 317 names, dates of birth, passport numbers and medical test notes were sent to an unknown Gmail address

The subcontractor was removing data from secure Immigration Department systems, against government policy

Subcontractors are increasingly relied upon to handle sensitive public data

The security bungle occurred when a spreadsheet was sent by mistake to an unknown individual's email address, because of a typo.

The privacy breach, which happened in 2015, occurred under the watch of Australia's largest health insurance company, Bupa, and one of its subcontractors, Sonic HealthPlus (SHP).

Bupa is contracted by the Department of Home Affairs to assess the health of people applying for visas and permanent residency in Australia.

Documents obtained under a Freedom of Information request by the ABC reveal that in August 2015, an SHP employee accidentally sent the names, dates of birth, and passport numbers of 317 people, along with "brief notes, summaries and comments about the status of the medical tests being conducted" to an unknown Gmail address.

It was a mistake that would eventually lead Google Australia to intervene.

The privacy breach follows a 2014 incident in which the Immigration Department accidentally published the names, gender, and boat arrival dates of 10,000 adults and children in Australian immigration detention.

Bupa is the largest health insurer in Australia. ( ABC News: Nic MacBean )

Bupa has also struggled with data security in the past. In 2017, the information of an estimated 20,000 Australians was compromised when a Bupa employee in the UK was found to have put client data from the insurance giant up for sale on the dark web.

Bruce Baer Arnold, a privacy and health law expert from the University of Canberra, said the latest privacy breach was "deeply concerning".

"With this one, I'm just speechless," Dr Baer Arnold said.

"The idea that we have an inadequately-supervised subcontractor using something like Gmail to transfer sensitive, personal health information is utterly appalling."

In a statement to the ABC, the Department of Home Affairs said the matter was immediately brought to their attention and fully investigated.

"The document contained bio-data details of visa applicants. No actual personal client medical records were disclosed as part of this incident."

The department said it was satisfied Bupa, and all of its subcontractors, currently only use systems that comply with the government's data security protocols.

Contractors can be a security vulnerability

Following the freshly revealed 2015 privacy breach, the then-department of immigration and border protection discovered that subcontractor SHP was removing the data of visa applicants from "authorised departmental health systems" and creating status reports in the form of Excel spreadsheets to send to Bupa.

The information was being extracted and shared in this way between SHP and Bupa against the department's policies and without its knowledge.

It led the department's chief medical officer to write to the managing director of Bupa to inform him the company had "failed to comply" with the privacy obligations set out in its contract with the Federal Government.

The matter was referred to the Office of the Australian Information Commissioner.

Following the privacy breach, SHP and Bupa made several attempts to recall the email.

Bupa eventually went to the extent of contacting Google Australia, five weeks after the incident, to try and get the email back. Google agreed to remove the email from the receiver's inbox after notifying them.

Seventy days after the breach, on 16 October 2015, the department contacted the people whose information had been disclosed.

"A routine report prepared by a SHP temporary employee was sent to a SHP clinical officer for clearance," stated the letter, which was later published on the Migration Alliance website.

"The SHP clinical officer inadvertently mistyped the Gmail address of one of the intended recipients, and as a result, the report was sent to an email account … the identity of the recipient unknown."

The department instructed Bupa to undertake an immediate review of all policies and procedures related to the security of personal information handled by Bupa and its subcontractors.

"Bupa acknowledges that the process used to share the document containing the data was outside of the authorised departmental health systems," a spokesperson said.

"We know the importance of responsibly managing private data and took immediate actions at the time to address the matter."

The spokesperson said Bupa had since improved its data security practices, and introduced mandatory privacy training for employees dealing with visa health assessments, and an audit program to assess subcontractors' security practices.

More transparency needed

Dr Baer Arnold said incidents like this made it difficult for Australians to trust governments with their personal information.

He said private contractors were increasingly getting access to government data but that there was little transparency around the data security practices of those contractors or their subcontractors.

"I think it's extremely likely that there have been other problems, we just haven't heard about them," he said.

"We're increasingly relying on agents in the private sector to do work for government and many of those agents clearly are just not up to it.

"If this information is not encrypted, if it's being shared by badly-supervised subcontractors using a Gmail address, we're not up to speed. We need to do something about it."

Dr Baer Arnold said security standards had to be a priority whenever the government awarded contracts that would allow private service providers access to sensitive personal data.

"Is this something we should bear in mind when we give contracts, sometimes very profitable contracts, to entities such as Bupa?" he said.

"If they're not up to speed, we shouldn't be rewarding them by encouraging bad practice."

Bupa has the contract to provide immigration health assessments and medical services for the Government until 2021.

"The Government should be reasonably expected to have proper supervision of its contractor and by extension subcontractors," Dr Baer Arnold said.

Who was affected?

Immigration medical assessments, carried out by Bupa and its subcontractors, are required for certain visa applications and for people applying for permanent residency in Australia.

The purpose is to protect the Australian community from public health risks, but also to assess whether applicants are likely to impose a significant burden on the public health system.

Australia asks for a considerable amount of information from its visa applicants, according to Sarah Dale, principal solicitor at the Refugee Advice and Casework Service.

"People sign an agreement at the beginning of that process with the department that they will provide full and frank information and that they're going to have to go through health checks," she said.

"But a condition of that is the department is going to have to keep that information safe."

Ms Dale said health information was highly sensitive, and in some cases, its unauthorised disclosure could endanger the safety of applicants or their families in their country of origin.

While that was unlikely to have occurred in this instance, she said the department had still failed to live up to its end of the bargain with visa applicants.

"People were told to trust a system; people were told to engage with a system on the basis that their information was safe," Ms Dale said.

"At the end of the day: it was not."

In a statement, Sonic HealthPlus said the 2015 privacy breach was an isolated incident and swift action was taken "to rectify the situation and notify all affected parties".

The documents obtained by the ABC also revealed that in 2016, three laptops used by another government contractor were stolen at the Republic of Nauru Hospital.

At the time, the contractor provided emergency medical support to refugees, asylum seekers and Nauruan nationals. The contractor did not use passwords to secure the laptops.

A spokesperson said the department understands no personal information was stored on the laptops at the time of the theft, and the contractor undertook a password and security audit.