Switching Australia’s ehealth system, known as My Health Record, to an opt out model led to a surge in privacy complaints, the privacy watchdog revealed in its annual report on digital health.
The Office of the Australian Information Commissioner says it has now received over 60 privacy complaints and 35 data breach notifications regarding the My Health Record system, which has been operational since January. It also received 145 inquiries about the controversial ehealth system.
My Health Record switched to an opt out model in January meaning any Australian Medicare holder who did not explicitly opt out of the system had a digital record created for them which could be shared with medical professionals. The system is managed by the government agency, Australian Digital Health Agency (ADHA).
Throughout 2018 privacy advocates and technology experts slammed switching the system, which had initially been designed by Labor in 2012 as an opt in model. Amid scrutiny, the government delayed the opt out deadline several times but ultimately ignored a Senate Inquiry’s recommendation to hold off for at least one more year to strengthen the system’s privacy and security.
The first review of the system by the OAIC, released yesterday, details the rise in privacy complaints regarding My Health Record.
“During 2018–19, the OAIC saw a significant increase in complaints about the My Health Record system (57 complaints were received during this reporting period compared to eight received during 2017–18),” the report says.
“This increase appeared to be a result of individuals becoming aware that a My Health Record would be created for them if they did not opt-out by 31 January 2019.
“Some individuals also lodged complaints about not being able to cancel or permanently delete a My Health Record.”
Experts had warned the ADHA’s guarantee of permanently deleted records would be difficult to fulfil.
Of the 35 My Health Record data breach notifications received in the period covered, 31 came from the Department of Human Services and 4 came from the ADHA, the system operator. In total, the breaches affected the My Health Records of 40 people.
The OAIC is currently assessing the ADHA’s handling of personal information, focusing on its compliance with Australian Privacy Principles. The assessment will be finalised in the 2019–20 financial year, nearly two years into My Health Record’s full operation.