By Zeb Holmes and Ugur Nedim
The number of breaches detected and recorded against the My Health Record database rose from 35 to 42 in the past financial year, raising concerns about who the information may be sold or provided to, and how it may be misused.
The breaches fly in the face of consistent claims by the federal government that the database is safe and secure, and that the privacy of those who choose not to opt out is protected.
My Health Record is an online summary of your key health information, which is accessible to authorised persons from anywhere.
Every Australian will eventually receive a My Health Record unless they opt out of the scheme.
Initially, Australians were given only three months to opt out, but the deadline has been extended twice due to various issues with the system. The latest opt out deadline is 31 January 2019.
Currently, six million Australians are registered on the My Health Record database. That number is expected to increase to about 23 million when the opt-out period ends.
By the end of October 2018, 1.1 million Australians had opted out of the scheme.
Government agency claims breaches are not malicious
The Australian Digital Health Agency annual report claims there have been “no purposeful or malicious attacks compromising the integrity or security of the My Health Record system”.
A spokesperson stated the recorded breaches include data being released by the agency itself to the wrong people and other intra-agency breaches.
Privacy experts disagree
However, Dr Bernard Robertson Dunn, who chairs the health committee at the Australian Privacy foundation, asserts there are significant flaws in the way the scheme has been set-up, including the fact that it is vulnerable to any deficiencies in external hospital systems, practices and procedures.
This, he states, is additional to concerns regarding infiltration of the government database itself.
“So… [he explains] there is no way the Government would know who has accessed that data, and it is untraceable and untrackable that that access has occurred”.
There are specific concerns that information could be provided to commercial entities for unintended purposes, such as the determination of insurance premiums or more sinister reasons.
Indeed, the coordinator of British privacy group Medconfidential, Phil Booth, has pointed out that the Australian scheme is disturbingly similar to the UK’s Care.data initiative, which was cancelled in 2016 following a damning review which exposed widespread privacy breaches.
New Wentworth MP Dr Kerryn Phelps, herself a general practitioner and former president of the Australian medical Association, is a particularly vocal critic of scheme.
“We’ve been consistently reassured by the Minister that no such privacy breaches had occurred,” the doctor stated.
“This was confirmation that there have been privacy breaches, some serious, and it shows the potential for further privacy breaches as this data base comes online and becomes more used.”
Dr Phelps has called for a 12-month delay in rolling out the scheme to allow consumers to be fully informed of “potential privacy breaches”.
And Federal Labor has called for a comprehensive review of the scheme by the Privacy Commissioner before its roll out.
Labor’s health spokeswoman, Catherine King, believes the reported breaches are more evidence of government mismanagement.
“The government continues to botch this important reform and must heed Labor’s call for an independent review of privacy provisions,” she stated.
Her sentiments have been echoed by Deputy Opposition Leader, Tanya Plibersek, who has called the reported data breaches a product of the government’s “incredibly hamfisted management.”
Dr Cassandra Cross, a criminologist at the Queensland University of Technology, believes the government has been giving mixed-messages – saying on the one hand that the system is safe and secure, while admitting on the other there have been dozens of data breaches, then downplaying the seriousness of those breaches.
“I think it’s misleading on the part of the Minister and the Government to make the repeated suggestions that there haven’t been any privacy breaches”, she remarked.
Those who do want to opt-out of My Health Record can still do so here.