Ray Walsh

Ray Walsh

July 31, 2018

Governments have a terrible track record when it comes to protecting citizens’ data. This is because connected databases are notoriously hard to protect. The more valuable the data inside them, the more temptation there is for hackers to break in – and they often do.

Foreign states, cybercriminal gangs, and lone wolves hoping to cash in, all have strong motivations for accessing citizen’s super sensitive medical data. Then there is the possibility of corruption, inside jobs, or simple mistakes at the hands of those people with access – all of which can lead to the loss of private data.

In the past few years, cyber attacks on the United States Office of Personnel Management (OPM), Britain’s NHS, and India’s Aadhaar card database have highlighted the vulnerabilities posed by government-run databases. Just recently, 1.5 million health records were stolen in Singapore. Yet more proof that health records are a prime target that are said to hold more value than financial records.

My Health Record

Despite the obvious risks, governments around the globe keep pushing forward with proposals for centralized databases. In Australia, people are being warned to opt out of a government scheme called My Health Record (MHR). MHR is a digital health record database currently being set up. By the end of 2018, it will include every Australians’ health records – apart from those citizens who specifically opt out

Privacy advocacy groups have warned that hundreds of thousands of medical records have already been added to the database, without citizens’ consent. Activists say that the scope of records being included is extremely troubling; especially considering  the Australian government has a poor track record of protecting people’s private data. 

Valid concerns

The opt-out health record database was first criticised by Australia’s former privacy commissioner, Malcolm Crompton, six years ago. At that time he warned the government that the central database would pose too much risk to the general public. The government has ignored those warnings.

Now, a number of advocacy groups including CounterAct  – one of Australia’s most active social justice groups – has gone on the record to express its concerns. Citing previous misgivings over Australia’s 2016 census, CounterAct says that the MHR database raises all the same privacy concerns. However, this time CounterAct is sounding the alarm-bells more urgently because MHR adds unprecedented levels of sensitive data into the fray:

“Sexual activity and orientation, gender, stigmatised diseases, prescriptions which could identify your condition, life-threatening and chronic health conditions, fertility, reproduction rights and more.”

Opt out now

Tim Norton, Digital Rights Watch chairman, also believes the database is a massive risk. Norton told BestVPN.com:

“Despite a range of privacy concerns being raised by human rights activists, medical professionals, and technology specialists, no guarantees have being given that individual citizen’s personal information within the My Health Record system will be kept safe and secure.”

Norton isn’t alone; various mental health bodies have come forward to express outrage. Consumers of Mental Health WA (CoMHWA), the Victorian Mental Illness Awareness Council, and Being, all believe that the risk of data breaches is astronomical.

According to CoMHWA chief executive Shauna Gaebler, MHR “increases the risk of discrimination and health inequalities for people with mental illness.” Gaebler also has concerns about how the database could affect young people if their private medical records are accidentally exposed to their parents. 

Too much access

Perhaps the most troubling aspect of MHR is the large number of individuals that will have access. According to CounterAct, more than 70,000 doctors will be able to use it. In addition, 30,000 pharmacies will be allowed to log in.

Statistics have emerged that quote figures as high as 900,000 medical professionals, and 12,000 organizations being given permanent access. This creates vast potential for the abuse or mishandling of those sensitive private medical records. Even without throwing hackers into the mix, it seems inevitable that there will be a data breach at some point.

Malcolm Crompton, who is currently an adviser at one of Australia’s leading information privacy consultancies, commented:

“It may well be military-grade [security] on the central servers of the My Health Record system. It’s demonstrably not military-grade for all of those 900,000 practitioners. Literally, because nobody knows. Nobody has actually audited those 900,000 practitioners to make any statement of any sort on how secure they are.”

Dr. Trent Yarwood, health spokesman at Future Wise concurs with his opinion, recently stating that “with so many points of access, there will be people who do the wrong thing.”

Not just for healthcare professionals

Australian law enforcement are already lobbying the government for access to the database and, according to CounterAct, they may already have been granted access in some cases.

The Australian Digital Health Agency (ADHA) – which controls access to My Health Record – has stated that access will only be granted with a warrant. However, ADHA currently has the power to change the process at a later date – meaning that this database could become even more dangerous later on.

The good news is that campaigners are celebrating some success from their recent campaigns. Federal Health Minister Greg Hunt has today gone on the record to promise that a warrant will be necessary for the police, tax office – and other third parties – to access the data contained within the MHR database.

However, it is not yet clear if patients will be informed when a successful warrant is granted. ABC has previously reported that “if personal information is disclosed to law enforcement, the decision about whether to notify the My Health Record holder will be decided “case-by-case”.

PM Turnbull has indicated that, in theory, he would support private medical insurance companies being granted access in the future. That means that people’s private health records might one day be subjected to a free for all. Norton, for one, is extremely worried:

“There are concerns about current or future access being granted to private companies. In 2016, the Department of Health provided access for Telstra to the national bowel and cervical cancer screening register, thus giving a for-profit company access to intimate health information without prior consent of those affected. What guarantees are we being given that this will not occur again?

Phil Booth, coordinator of medConfidential, told BestVPN.com:

“When it turns out a number of those publicly supporting My Health Record have been taking money from the Agency running it, alarm bells should be ringing. If the benefits ADHA claims cannot be sold to patients on their own merit, something is clearly wrong with the scheme.

“Despite several years of a sort of opt-in approach, there’s scant evidence from doctors of any real clinical benefit. With very little use for patients themselves, My Health Record is clearly more about hoovering up masses of information about Australians’ medical treatments, for ‘secondary uses’ the MHR website doesn’t mention, and which the officials involved weren’t even talking about.”

The time to act is now

Considering the sensitive nature of the health records, Australians were originally only being given until October 15 to opt out. However, Greg Hunt, has today promised that the Heath Record Act will be changed to permit people to opt out once it goes live:

“The government will also amend Labor’s 2012 legislation to ensure if someone wishes to cancel their record they will be able to do so permanently, with their record deleted from the system.”

This is good news and means that there is not such a big rush for Australians to opt out. However, they are still advised to do so sooner rather than later.

How to opt out

Anybody wishing to opt out of this invasive scheme is advised to go ahead and do so at once. The benefits to Australian citizens are minimal, and the risk of data leaks and hackers stealing the data huge. To opt out follow these simple steps:

  1. Get your Medicare and Drivers Licence numbers handy
  2. Go to the My Health Record Opt-Out website
  3. Fill out the details to ensure you are not part of the system when it goes live at the end of 2018
Ray Walsh
July 31st, 2018

Ray Walsh is one of BestVPN's resident VPN experts. Ray is currently ranked #1 VPN authority in the world by agilience.com. During his time at BestVPN.com Ray has reviewed some of the world's foremost VPNs. Ray is an advocate for digital privacy, with vast experience writing about the political and social aspects of infosec, cybersec, and data privacy. Find him @newsglug on Twitter.

3 responses to “My Health Record – why every Australian should still opt out!

  1. Why cant they have a closed intranet or something that just the main hospitals in each city can access. Why does everything have to be on the internet?

    1. @ Brett.. The Internet isn’t the only problem. The simple answer is because the hospital computers and their IT departments are no better at protecting our personal medical information than the government or the MHR.
      Just one example is the massive privacy breach the NHS in the UK suffered earlier this year. A recent hack of the SIngapore health system is another example.

      There are so many more examples of government and bureaucratic IT system failures and hacks ! Never a day passes, when a major public or government IT system in the USA is hacked. Australia is no different, we just don’t or rarely hear about it !.

      The Australian government has forced ALL ISP’s to hoover up all your Internet activity and store it for 2 years at taxpayer expense. Will the ISP’s tell you if their system is hacked…I seriously doubt it ! and the list of so called authorised users is endless !

      The only way to protect your privacy and yourself is to opt out of the MHR and use a VPN. If you think any digital online IT system or the Internet is 100% safe or operated in your best interest, None are, and if you think you have nothing to hide…think again !

      A couple of references to check are..
      (they use HTTPS…. SSL security)

      Brian Krebs who is a security specialist in the USA. He publishes a daily hack report. His website is.. https://krebsonsecurity.com

      and general scams on the ACCC website..
      https://www.scamwatch.gov.au/news/

  2. As long as other doctors can’t access your records your assured of a second opinion free from implanted bias from another doctors prior post.
    Today I’ve seen the govt plans to review of it. This was the reviewed version. It was originally E-Health all they’ve done is just remessage it. Aussies should be livid their LNP govt has attempted to enable Dr Mengele’s genetic tracking program to live again. If you think this commennt to be harsh then I suggest like I did you try & get an answer to why “Genetic Relative” is defined in the Act, but no ckause relates to it. Why by virtue of Clause 98 by simple memo for undefined delegation purposes the Defence Minister can have Carte Blanche to your records.

Leave a Reply

Your email address will not be published. Required fields are marked *