CASA are not very good at following rules themselves, and seem to have no real concept of privacy.
For example, I am certain that the new Medical Records System doesn't follow Australian requirements for handling sensitive medical information. They send a link to the system by email, without any userid/password protection. This means that:
- If you use your work email for CASA business, it is likely that your employer can access your medical records.
- Your email provider e.g. ISP, Google etc. can access your medical records
- Gmail has allows 3rd party app developers to read people's email. (If they provided permission, but frequently people do not understand the permission they are giving.) It seems like in some cases that included outsourcing reading emails to low paid workers to provide "simulated AI'. They would also be able to access your medical records.
Given the number of possibilities I very much doubt that CASA could provide any comprehensive record of who has accessed your medical records, or any guarantee that there has not been unauthorized access.