My Health Record hit with breaches


There were 37 breaches of Australia's My Health Record system in 2018-19, according to the overseeing agency's annual report.

The Digital Health Agency, which oversees the system, said most were attributable to the administrative errors.

But the report says there had been no purposeful or malicious attacks that compromised the integrity of the My Health Record system.

There were 37 breaches of Australia’s My Health Record system in 2018-19. Picture: Supplied
There were 37 breaches of Australia’s My Health Record system in 2018-19. Picture: Supplied

The agency said the administrative errors were mainly around individual records being used by multiple people, or "processing errors" when creating records for babies.

Four cases had been reported to the Office of the Australian Information Commissioner, with two breaches involving customers had their records viewed without authority, which the agency said were suspected fraud cases. One case saw unauthorised access to a child's record after someone was incorrectly assigned to be a parental representative.

There had been one suspected breach due to unauthorised access to a child's records but it was later revealed the request was made by the minor's parent. The majority of the breaches - 27 - were linked to individual Medicare records being used by two or more individuals.

Seven customers saw unauthorised Medicare claims being made in their name.

Senate estimates in October heard there were nearly as many people are opting back into the government's digitised national health record system as are opting out.

Health department staffers said 23,528 Australians have cancelled their My Health record since February 22 this year, but 22,129 have opted back in since that date.

While Australian Digital Health Agency chief executive Tim Kelsey said 80 per cent of community pharmacists were uploading dispensed medication data, the annual report said it was only 66 per cent.

It blamed this on "industry sentiment" and said there was a need for further ongoing education.


In July, News Corp revealed that although the My Health Record system cost taxpayers nearly $2 billion, most Australians could not access their online electronic health record and most had not set a PIN number to protect information on it.

Nine in 10 Australians had a My Health Record created for them on January 31 after they failed to opt out of the controversial system.

However, News Corp learned four in ten people had no way of using it or checking whether the information on it is accurate or setting privacy controls.

To access the record you need to have a MyGov account but even though 23 million Australians had a My Health Record at the time, only 15 million people had a MyGov account.

While many individuals can't access their My Health Record, any doctor, pharmacist or public hospital, pathology or x-ray company can see their record and upload information on it without getting the patients permission.

"My Health Record is based on the concept of standing consent," Australian Digital health Agency chief Tim Kelsey explained to a Senate Estimates Committee.

This means their doctor can access the record and even trigger its activation without the patient's knowledge or consent.

Doctors are not required to get their patients consent to upload a shared health summary onto the My Health Record that can reveal if a person had an abortion, a sexually transmitted disease, is impotent or has a mental illness.

Once the record is activated two years' worth of Medicare and prescription data is downloaded onto the record and this can also reveal sensitive or embarrassing health conditions.

Once that information is uploaded it can be accessed by hundreds of thousands of health practitioners including podiatrists, optometrist and physiotherapists unless the patient sets up a PIN number or other privacy controls to protect it.

- with staff writers