- The Australian government is creating a national online database known as My Health Record, capable of storing your entire medical history.
- Privacy experts say a data breach is “inevitable” with more than 900,000 people in the sector able to access the information.
- Patients will have the ability to decide what information is uploaded and lock files.
- People have until October 15 if they want to opt out of the system.
Growing concerns about the cybersecurity of the Australian government’s new online health agency, My Health Record, has provoked a growing push among privacy advocates for people to opt out of the system.
From today, people have three months to opt out or they will automatically be signed up for the national online record potentially carrying all their health information.
The online summary will range from medicines you are taking, to any allergies and treatments you have received.
Already nearly six million people have chosen to be part of the online health database, but privacy experts believe that GPs who access the system could be the weak link leading to inevitable data breaches.
The Australian Digital Health Agency (ADHA), which is responsible to introducing the system, says 12,860 healthcare professional organisations are already connected to the My Health Record database, including GPs, hospitals, pharmacies, diagnostic imaging and pathology practices.
“My Health Record is already making healthcare management for individuals and healthcare providers easier and safer, and could save lives in an emergency situation,” the ADHA said in a statement today.
“Australians can manage privacy and control access to their My Health Record including what information gets uploaded and who has access such as family members, carers and healthcare providers.
“This empowers them to share and control their health information with doctors, hospitals and other healthcare providers from anywhere, at any time.”
Australians have until October 15, 2018, to opt out of having a digital file created.
A range of peak medical bodies, including the Australian Medical Association, the Royal College of Australian GPs, and Pharmacy Guild of Australia are backing the push to a national health database.
The National Rural Health Alliance (NRHA), which represents 35 national organisations, including the Royal Flying Doctor Service, RACGP Rural and the CWA, said people in rural areas should embrace the online database, given the greater risks they face.
NRHA CEO Mark Diamond said it would save lives, especially in emergency situations.
“Australians living in rural and remote areas are more likely to end up in an emergency department from from a heart attack, car accident or diabetic coma,” he said.
“If they’re unconscious, and the medical team doesn’t have access to their health history, the team may not be able to provide life saving care.
“A My Health Record means that all your important health information is at the fingertips of your doctor, nurse or surgeon.”
Diamond said there were always privacy risks associated with online health information, but his organisation was satisfied the risks were small for My Health Record is small.
“I ask all country people to balance that small risk against the considerable advantages of My Health Record. There is simply no good reason to opt out,” he said.
The privacy concerns come in the wake of ongoing issues with online patient booking platform HealthEngine, which earlier this month made a compulsory data breach notification to the Office of the Australian Information Commissioner involving 75 users. The Western Australian tech startup, funded by the likes of Telstra, Google and Seven West Media has also faced criticism after the ABC revealed it had been sharing patient data with third parties, including personal injury lawyers. Federal Health Minister Greg Hunt called an “urgent review” into the company’s actions.
Dr Steve Hambleton, deputy chair of the My Health Record rollout, told Fairfax Media that while he “can’t guarantee that there’s not a hole somewhere”, any potential breach would be isolated to individual records rather than the entire database and would be detected.
IT security expert Troy Hunt, who also runs haveibeenpwned.com, which warns people about personal data breaches, told Fairfax that authorised access to the system was “an inevitability” and could be as simple as a doctor leaving their PC unlocked and leaving the room.
“Breaches doesn’t necessarily mean that they have done a bad job of their security,” Hunt said.
When fully operational, nearly one million health professionals are likely to have access to the system. And while patients will have the ability to set their own security levels, locking individual files or their entire record with a 4-to-8 digital passcode, it’s believed some senior health sector people will have the ability to override them.
Patients also have the ability to say which documents are uploaded and can establish access alerts as well as review who’s been looking at their health information and how it was used. They can also delete records.
But even if you cancel your My Health Record account, the information will remain on the system for 30 years after your death.
Former privacy commissioner Malcolm Crompton sees GPs access as a potential weakness in the system, telling Fairfax researchers have been given permission to use the data by default.
Data breaches in Australia have regularly involved health care in recent months.
Privacy advocates are also infuriated that some health professionals are asking patients to tick a box to stop information being uploaded to My Health Record, rather than the other way around and providing consent to opt in.
And while the government has introduced strong penalties for unauthorised access, including jail sentences and fines of up to $126,000, critics believe there’s lucrative appeal for criminal syndicates sell the data, while others are worried that the bar has been lowered for law enforcement agencies to access the records.
Previously, police needed a warrant to obtain health records from a doctor. Law enforcement will be able to access My Health record if they are preventing or detecting or for fraud, in the case of “the protection of the public revenue”.
Details about My Health Record are available from the website here, including how to opt out if you choose to. You can also call the help line on 1800 723 471.
Business Insider Emails & Alerts
Site highlights each day to your inbox.