The Price of Access
Photo credit: Alanna Autler
A recent spate of significant data breaches continues to demonstrate the huge problems of the relentless accumulation of information on all of us both by corporations and governments. Just in recent weeks, we’ve had:
- the Commonwealth Bank’s major data breach, which we only learnt about from Buzzfeed;
- the continuing fall-out from the PageUp data breach, affecting thousands of Australians and dozens of major commercial and government users;
- a Ticketmaster data breach that may have affected Australian customers;
- a breach at controversial health booking service HealthEngine;
- a hack of Family Planning NSW;
- a breach at Aviation ID Australia affecting Aviation Security Identity Cards, used to access restricted areas of airports.
At least we’re now being notified more consistently about breaches, after the government finally stopped dragging its feet and a data breach notification scheme commenced.
Earlier this week, IT News reported that the four major political parties would be given $75,000 each to strengthen the security of their voter information systems. Online rights watchdog Digital Rights Watch welcomed the move, given what is known about the poor state of cybersecurity in the systems of political parties; at least one major party is known to use a system that sends user names and passwords in clear text.
The potential for a large-scale data breach of the most serious kind will increase in coming months as the so-called “My Health Record” e-health system is rolled out. From Monday, citizens will be able to opt-out of having an electronic health record created by the government for them. Those that don’t, face the risk that their health records could be accessed via a data breach, particularly of any third party service providers involved — it is a recurring pattern of data breaches involving governments that often government agencies themselves are not breached, but they have outsourced a service to a private contractor (like PageUp) to save money and it is the latter who are breached. In the case of My Health records, there is also a risk that health professionals other than your own might also access it.
This is all prior to the grimmer scenarios around what a government agency or minister could do with your health information. These are of course no hypothetical visions of an Australian dystopia: we know that Alan Tudge and his bureaucrats used a critic’s private information to publicly attack her, and did so with the subsequent approval of the so-called Privacy Commissioner. Health information is even more sensitive than the sort of information collected by welfare authorities, but there is literally nothing to stop the government from using that information against someone who has embarrassed it. The government that leaked information about Andi Fox, that is prosecuting Witness K and Bernard Collaery, that sent AFP officers into Parliament House to pursue emails between Labor staff and journalists, that set up two royal commissions to pursue its political opponents, and that is currently criminalising even the mere reading of leaked information online, cannot be trusted with any kind of personal data. Its security is too poor, and it has demonstrated it will use private information for political purposes against citizens.
The best security is to prevent it from accumulating information on you in the first place. Then there’s none to steal or to misuse. Opting out of My Health Record is the only sensible option.
32 thoughts on “My Health Record could be our worst government data breach yet”
Hunt, Ian
July 13, 2018 at 1:36 pmThe best security is to make sure this government is tossed out at the next election. Then the new Labor government should be urged, and forced if necessary, to set up a task force to solve these problems and prevent any future government from using breaches of privacy for political gain. An agreement between the states and commonwealth should be able to lock it in, as it did with the GST.
paddy
July 13, 2018 at 1:51 pmSeriously insane. I just followed that “opt-out” link and from there to another page
entitled Cancel my record.
https://www.myhealthrecord.gov.au/for-you-your-family/howtos/cancel-my-record
I’ve seen some mad stuff with Govt Depts before, but for sheer Kafkaesque nonsense,
how about this one:
“Once your record is cancelled, it will be retained for a period of 30 years after your death or, if the date of death is unknown, for a period of 130 years after the date of your birth.
Your My Health Record may be accessed by us for the purposes of maintenance, audit and other purposes required or authorised by law.”
Words fail me 🙁
zut alors
July 13, 2018 at 3:35 pmPaddy, for a moment there I thought you were quoting a First Dog cartoon. But nobody, even the super-talented Dog, could make this up.
susan ireland
July 13, 2018 at 4:15 pmMy reading of this, is that health providers will still enter records into the system, the government will still be able to do what they like with it, and the only consequence is that other health care providers won’t be able to see what is there. I won’t be able to see what is there but it will be there anyway.
That isn’t opting out unless I am reading this incorrectly.
OliverB
July 13, 2018 at 2:13 pmI really don’t much care in the unlikely event that someone learns I get migraines. I _do_ care that paranoia about health record storage will prevent me getting proper emergency care, and will prevent researchers seeing patterns that might help me prevent the migraines.
Desmond Graham
July 13, 2018 at 2:20 pmYour comment does not contribute to the issues – changing governments won’t make an iota of a difference same system will still exist and it was a labor government that commenced the eHealth big brother system – it is independent of type of government
Desmond Graham
July 13, 2018 at 2:22 pmoops the comment was in response to Ian Hunts comment
Desmond Graham
July 13, 2018 at 2:30 pmif you have headaches – and you are an adult one would think you know the pattern that gives you a headache – government record of your headache isn’t going to help you . Perhaps a good doctor who has access too the latest medicines would be the way to go, same as for any illness.
Robert
July 13, 2018 at 5:26 pmYou are, of course, right. The benefits of an accurate diagnosis in an emergency, not the mention not having to fill in pages of medical history every time I engage with the health system more than outweigh the risk that someone will do something nefarious with my health records, whatever that might be. I don’t leave my car in the garage simply because I might have an accident.
klewso
July 13, 2018 at 2:26 pmWho will protect us from the protectors?
Desmond Graham
July 13, 2018 at 2:26 pmBernard – about time Crikey addressed the issue – but left it too late – opt out only lasts from 16 July to October so its a once in a lifetime restricted opportunity – also the process has been so designed that the opt out process is so difficult that most people will give up half way through and those without computers are restricted.
Dog's Breakfast
July 13, 2018 at 2:46 pmThanks for the heads up BK. I have no concerns about medical professionals having access to the limited health data they have on me, but I don’t think they are up to the security.
It’s one of those problems that someone will say ‘well if you never go to a doctor you have nothing to worry about.’ (paraphrase of ‘if you’ve never done anything wrong you shouldn’t be worried about the government spying on your every move’)
Thanks Paddy, I’m at work and don’t have all afternoon to scroll through and do it today. Suppose I’ll spend all weekend navigating the simple opt out procedure.
Guru
July 13, 2018 at 2:56 pmHold on a minute Bernard before you do your undermining.
The MyHealth record if properly taken up and used has the potential to be the single biggest gamechanger in health since penicillin. No I am not overstating it. It holds the potential to massively improve outcomes, accelerate research, reduce costs which can be reinvested in health, enable Value Based Healthcare (value being determined by paying for outcomes that are important to patients), reduce medication errors and inappropriate polypharmacy, save time and save lives in emergencies, identify what implants patients have when there are product recalls and the list goes on. yes there is some privacy risk, the same as there is with your banking, your car registration data, your facebook data, your medical records currently in your doctors surgery, your medicare and centrelink data. the payoff is much higher than for all of these and is well worth the risk.
Desmond Graham
July 13, 2018 at 3:23 pmWhat Bullshit biggest game changer since Penicillin?- don’t you think the simple blood test that has been developed overseas, I read, that will tell a person they have a cancer, or genetic screening and the genetic treatment are slightly more of game changers than government controlled personal health records when the person themselves are not allowed to access it – I see you read the the advertising or are you one of the spin doctors?
Andrej Panjkov
July 13, 2018 at 7:36 pm“…if properly taken up and used…” But look at the shambles that is MyGov. A database full of bad data, poor UI, poor UX, no record of transactions that users can view, bug after bug after bug, but no way to report bugs apart from a feedback page, itself badly designed and broken, that is only monitored if one makes enough noise. Will MyHealth be any better than its host, MyGov? I doubt it.
Privacy in MyHealth is broken right now, in that it depends on medical professionals to be security-conscious. I’m sure that some of them are. The physician at the public hospital clinic with login credentials on a sticky note stuck to the terminal, for all to read (and photograph, as I could have done when he left the room for some minutes) was not one of them. I’ve seen how terribly weak the passwords of some medical professionals are. That’s two problems right there – firstly, that they use bad passwords, and will downplay their responsibility to secure their credentials when that’s pointed out, and secondly, that I have seen them at all. (No, I don’t shoulder-surf – these passwords were freely revealed to me.)
I don’t want any medical professional free access to my medical history. I do not want to see my optometrist and have them smirking because of some juicy tidbit they read in my medical history. I don’t want family members or employers to go diving into my medical history. I don’t want GPs or physicians that I am “trialling” to have full access until I am comfortable with them. I don’t want insurers to have access (which they are sure to push for) to what may be poorly transcribed data entered by physicians in a hurry.
“Guru”‘s list of benefits include some that benefit the profession more than patients, which is a kind of trickle-down argument. The claim that reduced costs can be reinvested in health is true, insofar as the word “can” allows that possibility. Change “can” to “will” and the statement becomes almost certainly false. Hypothetical cost savings will just mean the consolidated pool has more money to spend on pork-barrelling boondoggles. Anyway, I wonder where these reduced costs will come from? Will some hospital stays be shortened, or deemed unnecessary altogether?
I’m opting out, and I’m urging everyone I know to opt out too.
Guru
July 13, 2018 at 8:03 pmThe benefits I listed are all about patients not medical professionals. Reduced costs will come from less repeated X-rays and imaging and pathology for a start, there are thousands of unnecessarily repeated tests and imaging because records are not shared. That’s just for a start. Lots of savings from reduced medical and medicines errors as well.
Desmond Graham
July 15, 2018 at 12:58 pm-Yep – you must be part of the spin doctoring – because people already know if they have had an X-ray and pathology recently and the doctors can access it already . If you are unconscious then you will get one anyhow in emergency whether you had it yesterday or not . Not shared records doesn’t mean the records cannot be accessed.
Guru
July 16, 2018 at 9:43 amnot part of the spin doctoring, I have no vested interest other than having worked in the healthcare system for close to three decades and seeing how much inefficiency happens and how much avoidable error happens. And you are being naïve if you think it is easy to access records which are not shared, people will know if they have had some kind of test recently many people have no idea what kind or what it covered, to access an electronic image which is not shared could take several phone calls and hours of time, many times its just easier for a doctor to order another one than trying to get access to it. Trust me there are massive improvements in cost and efficiency but more importantly for outcomes for patients by using the record. it truly is the single most important thing we can do to improve healthcare.
AR
July 13, 2018 at 6:43 pmThrow the bastards out but put not your trust in ALPrinces.
The spook state is too strong for the Alternative Liberal Party to dare take a stand.
Not that they would want to – I’m sure they are rubbing their painfully erect nipples with Proseco by moonlight. (Have I got that right, FDotM?)
GF50
July 13, 2018 at 6:50 pmGet you GP to bring up your eHealth records EDIT, you will find many errors, and other stuff that is nobody’s business nor any thing for statistics, put onto your own “stick” for your and your GP info only. Then delete eHealth record, then opt OUT. Cancer registry is run by Telstra health and given their record with telephone and data accounts consider that this is open slather to whomever clerk, cleaner, general factotum, busybody, sticky beak, employer, insurer, just anyone who cares to casually enquire. They don’t have to “hack”!
This will be outsourced, and there will be heavy charges to access this info. Facebook on steroids. Keep your own records, they are yours! not the governments, not the Dr’s, yours! edit what is transferred via the internet, test results etc. Make sure all treating health personnel are aware that you have opted out and they are NOT to post you or your history or any part thereof to my health record. Best of luck, all data collected it is not to improve, your or the general populace heath or treatment outcomes. Big Pharma, Insurers, love it!
applet
July 14, 2018 at 8:19 amWasn’t there a promise to provide an opt-out phone number?
Like nearly everything we’ve been been shackled down with the last five years, I blame the non-opposition.