27 September 2023

No clean bill of privacy for My Health

Start the conversation

The Office of the Australian Information Commissioner (OAIC) has released its annual report of activities relating to digital health, revealing a surge in complaints about the My Health Record system.

The complaints follow the My Health Record being moved from a self-register to an opt-out model in February.

The OAIC report says that in 2018-19 it received 145 enquiries and 57 complaints about My Health Record, compared to 14 enquiries and eight complaints the previous financial year.

It said most complaints were received before the end of the opt-out period on 31 January.

The report says the Office also received 10 enquiries about the Healthcare Identifiers Service, and five complaints.

“During the reporting period, the OAIC provided detailed privacy advice on the My Health Record system to stakeholders, including the Australian Digital Health Agency and to the Senate Community Affairs References Committee and Legislation Committee,” the report says.

“The OAIC also conducted privacy assessments of regulated entities in the digital health sector,” it says.

The report says the OAIC received four mandatory data breach notifications from the My Health Record System operator.

“Two notifications related to unauthorised access to a My Health Record by a third party conducting fraudulent Medicare-claiming activity; one notification involved incorrect Medicare enrolment resulting in unauthorised access to a My Health Record; and an enquiry into the fourth notification confirmed that a data breach had not occurred,” the report says.

The OAIC received 31 mandatory notifications about data breaches involving Medicare records.

Of the 31, 27 involved intertwined Medicare records, where healthcare recipients with similar demographic information shared the same Medicare record, and Medicare provided data to the incorrect individual’s My Health Record.

The remaining four notifications resulted from findings under the Medicare compliance program, where Medicare claims made in the name of a healthcare recipient, but not by that healthcare recipient, were uploaded to their My Health Record.

The OAIC is the independent regulator of the privacy provisions under the My Health Records Act 2012 and the Healthcare Identifiers Act 2010.

The Office’s 139-page report can be accessed at this PS News link.

Start the conversation

Be among the first to get all the Public Sector and Defence news and views that matter.

Subscribe now and receive the latest news, delivered free to your inbox.

By submitting your email address you are agreeing to Region Group's terms and conditions and privacy policy.