Health records breach
Privacy experts alarmed medical data is collected without consent
THE individual health records of almost 25 million Australians have been scraped from medical clinics under a secret data grab that has alarmed privacy experts.
The move has laid bare information on patients’ mental health, alcohol consumption, weight, sexually transmitted diseases and HIV.
In most cases the material is being collected by data firms without explicit patient consent and patients have not been given the opportunity to opt out.
The Australian Privacy Foundation said if the records were to fall into the wrong hands they could be used to blackmail powerful people, track down a domestic violence victim or by employers to vet job applicants.
They could also be used against a person with mental health problems in a custody battle.
“While almost 10 per cent of
Australians opted out of My Health Record, most may be unaware they are giving consent to their default data upload when they sign the patient registration form to see their own doctor,” Juanita Fernando, health committee chair of the Australian Privacy Foundation said.
Doctors are providing the patient health information under the Primary Health Insights program via two data collection firms that give the files to 31 primary health networks (PHNs). The Department of Health said it would use it to improve health care and determine where new health resources are needed.
IT consultant to the medical profession Paul Power, who raised the alarm that saw privacy protections in the My Health record legislation substantially strengthened, said the data could be a hacking target.
The Office of the Australian Information Commissioner said patient protections were imperative. “It is essential that privacy protections are in place when dealing with such sensitive information,” a spokesperson said.
General practices are meant to seek patient consent to take the data but those who have been seeing the same GP for many years are unlikely to have been given the option to consent or opt out.
The data is meant to be deidentified but when the Department of Health published “de-identified” health data of 3 million Australians in 2016, it took researchers at Melbourne University just three days to decode it and re-identify it.
In 2017 the Medicare numbers of Australians were found for sale on the dark web.
ANU researcher Dr Vanessa Teague, who was part of the team who re-identified the health data in 2016, said patient information containing Medicare or medicines information – or even the year a woman’s child was born – was the most vulnerable.