Darkweb, darknet and hacking concept. Hacker with cellphone. Man using dark web with smartphone. Mobile phone fraud, online scam and cyber security threat. Scammer using stolen cell.
Darkweb, darknet and hacking concept. Hacker with cellphone. Man using dark web with smartphone. Mobile phone fraud, online scam and cyber security threat. Scammer using stolen cell.

STIs, booze and HIV status: Aussie medical records taken

Exclusive: The individual health records of almost 25 million Australians have been scraped from medical clinics under a secret data grab that has alarmed privacy experts.

The move has laid bare information on patients' mental health, alcohol consumption, weight, sexually transmitted diseases and HIV.

In most cases the material is being collected by data firms without explicit patient consent and patients have not been given the opportunity to opt out.

The Australian Privacy Foundation said if the records were to fall into the wrong hands they could be used to blackmail powerful people, track down a domestic violence victim or by employers to vet job applicants.

They could also be used against a person with mental health problems in a custody battle.

"While almost 10 per cent of Australians opted out of My Health Record, most may be unaware they are giving consent to their default data upload, when they sign the patient registration form to see their own doctor," Juanita Fernando, Health Committee Chair of the Australian Privacy Foundation said.

 

Health data is vulnerable to hacking, experts claim. Picture: Supplied
Health data is vulnerable to hacking, experts claim. Picture: Supplied

 

Doctors are providing the patient health information under the Primary Health Insights program via two data collection firms which gives the files to 31 Primary Health Networks (PHN's).

These are administrative health regions established by the government and the Department of Health said they would use it to improve health care and determine where new health resources are needed.

IT consultant to the medical profession Paul Power who raised the alarm that saw privacy protections in the My Health record legislation substantially strengthened said the data could be a hacking target for China or Russia and nefarious actors.

The Office of the Australian Information Commissioner said patient protections were imperative.

"It is essential that privacy protections are in place when dealing with such sensitive information," a spokesperson said.

General practices are meant to seek patient consent to take the data but those who have been seeing the same GP for many years are unlikely to have been explicitly informed or given their consent or the chance to opt out.

And some patients who did ask to opt out said it took three months for the process to happen, others were told by GP's they had no idea about the process.

Royal Australian College of General Practitioners president Dr Karen Price says general practices were adhering to relevant privacy legislation.
Royal Australian College of General Practitioners president Dr Karen Price says general practices were adhering to relevant privacy legislation.

The data is meant to be de-identified but when the Department of Health published "de-identified" health data of three million Australians in 2016, it took researchers at Melbourne University just three days to decode it and re-identify it.

In 2017 the Medicare numbers of Australians were found for sale on the dark web.

ANU researcher Dr Vanessa Teague, who was part of the team who re-identified the health data in 2016, said patient information containing Medicare or medicines information - or even the year a woman's child was born - was the most vulnerable.

"It would be entirely inaccurate to describe it as de-identified," she said.

Former Privacy Commissioner turned lead adviser for Information Integrity Services Malcolm Compton agreed.

"I think they're being a bit too clever by half," he said.

Australian Medical Association president Dr Omar Khorshid said Primary Health Networks claimed to have "very, very high levels of security".

Royal Australian College of General Practitioners president Dr Karen Price said general practices were adhering to relevant privacy legislation.

" … and have privacy policies in place which explain how personal patient data is used as part of the provision of care and how de-identified data may be used for research and quality improvement purposes," she said.

The Department of Health said patients can opt out of having their information collected.

 

 

 

Originally published as STIs, booze and HIV status: Aussie medical records taken

Australian Medical Association president Dr Omar Khorshid says primary health networks claimed to have “very, very high levels of security”. Picture: Supplied
Australian Medical Association president Dr Omar Khorshid says primary health networks claimed to have “very, very high levels of security”. Picture: Supplied


‘Feels like minus 2.4C’: State shivers through chill

Premium Content ‘Feels like minus 2.4C’: State shivers through chill

If you felt extra chilly this morning, you weren’t imagining it

Oldest off-road racer will be rebuilt for disabled veterans

Premium Content Oldest off-road racer will be rebuilt for disabled veterans

Off-road racing team rebuilding old Army Land Rover

Guns, drugs, cash found in jail trafficking bust

Premium Content Guns, drugs, cash found in jail trafficking bust

Thirteen charged following operation into trafficking of drugs