Why I’m Opting Out Of My Health Record (And You Should Too)

Why I’m Opting Out Of My Health Record (And You Should Too)

It will benefit some, sure. But the privacy risks far outweigh the benefits for most.

“I want to make sure we bring consumers with us in the e-health journey by adopting an ‘opt in’ model – allowing them to choose when to sign on,” said Nicola Roxon, about the then-Labor government’s rollout of a voluntary, shared digital health record for all Australians.

“I believe that the benefits of giving the Australian public the choice as to whether they participate will be key to the successful implementation,” Roxon continued, adding: “I think moving to an ‘opt out’ position would be a serious mistake.”

Seven years and a change of government later and that “serious mistake” has become a reality: the Turnbull government, under federal Health Minister Greg Hunt’s leadership, will now automatically opt everyone into having a digital health record by the end of the year unless they actively withdraw consent during a designated three-month opt-out period that started on Monday.

Australians’ trust has been betrayed by this government’s move away from an opt-in model to opt-out. While Hunt’s intention to have everyone automatically given a record is well-meaning, it’s not good enough to simply adopt an opt-out model to fix lacklustre sign-ups.

For myriad reasons I will be opting out of having a health file, known as a My Health Record, and you should do the same, depending on your circumstances.

My decision to opt out comes after consulting several healthcare professionals, privacy and computer security experts, the government and patients who stand to benefit from having a record.

I concluded that any benefit I would personally get from having a digital record would be negligible compared with the risks of it being accessed by unauthorised parties.

One of the main reasons I have decided to opt out is my lack of confidence in the government to secure its citizens’ data, and several breaches where information hasn’t been sufficiently secured.

In one such breach, one in 10 private health records were exposed by the Department of Health after the agency uploaded what it thought was de-identified Medicare Benefits Scheme and Pharmaceutical Benefits Scheme data for research purposes.

Further, the fact a quarter of Australian data breaches from February 22 to March 31 reported to the federal Privacy Commissioner involved healthcare providers has given me no confidence the system will be secure at its weakest point – GPs’ offices.

Here are some of the other issues with the system:

  • While PINs can be placed on individual records, these can be broken in “emergency” situations using an override function, or, as security experts fear, by unauthorised criminals.
  • Up to 900,000 health professionals will be able to gain access to an individual’s records but there is no guarantee that the security of their computers will be kept up-to-date.
  • With access to a computer that can retrieve My Health Record data, an unauthorised party could gain access to any Australian citizen’s record (there have been breaches where Medicare details have been up for sale on the dark web).
  • There are likely to be instances where a record is uploaded without your genuine, informed consent. Already, tick boxes are being spotted that state: “Do not send to My Health Record”. These boxes should instead ask: “Do you want this sent to My Health Record?”
  • Centralising health data increases the risk an unauthorised party can gain access to it. This is because if a hacker wanted to target you now, they would have to know who your GP is to access your data.
  • The system behind securing the records, myGov, has been proven to lack proper security protections in the past. While many of these protections have since been implemented, concerns remain.

There are, of course, situations where having a shared digital health record will be useful for some.

If you suffer from chronic illnesses, have allergic reactions or anaphylactic shocks, and otherwise need information to be conveyed to a medical professional when you are unable to, then the benefits will outweigh the risks in a situation of life or death.

But if like me you are concerned, you should opt out.

Alternatively, you should subscribe to access notifications, set up PINs, and restrict access to files you do not wish to be accessed by all and sundry. Then, at every interaction with a health professional, be prepared to ensure you tell them whether you want your record uploaded or not.

This article originally appeared in Digital Life, The Sydney Morning Herald’s home for everything technology. Follow Digital Life on Facebook and Twitter.


  • Weighing up the options, I have chosen to opt out, I still then have the option to opt in later. Having said that what happens to my documentation and records held by my GP on her computer and interoffice NAS? Also, if I have an accident and being taken to a hospital, how do I manage to give them access? This is a very complex issue.

  • Given the guy in charge here set up the failed British version, opting out is the only option.

    Added to that is the hack that occurred in Singapore recently.

    This will be a hackers dream.

  • I figure all that scary data about me is already sitting on various computer systems meaning most of the arguments against signing up apply whether you sign up or not. At least now I know what that data actually is.
    And like you mention, turn on access notifications or a pin.

  • I find this article really unconvincing.

    First, as @mixedemoticons pointed out, right now what we have is a situation where patient records are stored in a decentralised system, so they will be as secure as the at-rest security of the clinic with them. Social engineering attacks remain probably the most likely attack to succeed, so usually it isn’t the security of the centralised platform you need to be that concerned with, but the security of the person answering the phone and faxing out everything.

    You refer to the medicare data leaks, but if you read the senate report you would know the current belief – based on the information required in order to get the medicare details, among other things – is that that ‘breach’ is or was someone’s legitimate credentials being used to retrieve records. It isn’t clear whether it was someone’s credentials having been compromised (and the security design wasn’t great, in that although it needs digital certs they are not hardware-bound), but that’s not an attack-at-scale situation.

    As you’ve pointed out, people can set a PIN and notification. Unless someone does manage to hack the central system, which it seems they haven’t been able to do with the previous and more weakly designed Medicare system, then the only way they’re going to be getting access to data is via the emergency provisions. It may be that someone can leverage those emergency provisions to illegitimately access a record, but that’s why you set up notifications – so you can act if that happens.

    You’ve provided no evidence that MyGov lacks security.

    I don’t disagree with all your points – having government access for the purposes of protecting revenue is silly and is only likely to drive people away. And yes, data centralisation is a risk. I also think that not identifying which individual within a practice accessed a record is a bad idea. However, hand-waving at the truth that no data is absolutely secure is not a sensible way to assess risk.

    Part of the point of central medical records is because even when people think things are simple they are not. Having aggregate data over time of even relatively simple data points can provide diagnostic power that would otherwise not be possible. Allowing that dataset to be used for research also has the potential to improve our ability to isolate and diagnose problems because it gives a pool of data on people who _do not_ have a particular disease and a range of test data for those people. Those kind of ‘relatively healthy’ controls and logitudinal data have huge value in isolating characteristics predictive of later disease conditions.

    You say that people can just ‘opt in’ later if they choose to, but how many people have carefully moved their medical data from one practice to another? Chances are that opting in is going to mean that data will be collected from here on, and maybe if they’re lucky the last practice they went to as well.

    There are things in the electronic health records that would benefit from improvement, and there are a few stupid things too. However, while you’re welcome to opt out, you do us all a disservice by taking such a strong position with such weak support.

  • In modern and wise countries Like Sweden …..medical records are available for doctors to access no matter what part of the world they live. This saves a huge amount of time…..so that records do not need to be duplicated by having to go and do all over again, xrays, blood tests, drug trials, etc. The cost of redoing this sort of stuff is phenomenal….can cost lives….and benefits the doctor’s and hospital’s bankbooks but not the patient’s health.
    I have paid for these xrays and they should be available for any doctor I go to….The government realizes that Medicare is costing more and more….and they are wisely putting in a plan to cut costs without harming your budget or your health.
    I could say more…but anyone who thinks that emailing another doctor and hoping they will respond with information immediately is not thinking. And anyone who thinks that all doctors have time to do is repeat procedures when the information is there in an instant is a fool. People’s lives are at stake.
    If patients want to travel and then get sick and the doctor doesn’t know what has happened in your past or perhaps even what medication you are on…(say you are unconscious) then you are asking for trouble.

    • I agree 100%.

      and may I add a personal example; that of my grandfather, who is 90+ years old, has had 2 types of cancer resulting in 3 surgeries in a year (for the past several years). In all, throughout any given year, he visits > 3 specialists + his GP, across 4-5 hospitals and that’s not counting any emergency room visits throughout the year.

      This system is critical for people like him as right now, often I have to fill in any gaps in medical history for each doctor as I’m the only person with the holistic view and anything missed could be a life threatening issue.

      With an aging population, I’d imagine this would become more and more important…

  • My issue is not with the concept or the practical benefit of such a system, Digital Health will save lots of lives, what Queensland and NSW have been doing in their hospital systems are ground breaking…

    … but what the Federal Government has done with the ADHA implemented  system and how its managed is the issue. They have shown a lack of foresight which when it comes to privacy is a huge issue.

    This is an agency that has one job, keep Records, and has decided Retention and Disposal in compliance with State and National guidelines was too hard. They wrote a Section 17 in their legislation allowing them to just apply the maximum time frame of 30 years after death to all records. It’s a record keeping agency that’s too lazy to do proper records disposal… and then if you wanted stuff to be removed it was “effectively removed” when they meant hidden (bad to use air quotes in your own privacy FAQ)  Their reason was for medical legal reasons, which doesn’t apply to them, cause the records are a copy as the health care provider has to keep the original record for the mandated archive period.  It’s the laziest records keeping I have seen in Government, for a agency that has the word Records in its agency name and its service.

    … they reversed that decision, yesterday, allowing the right to delete.

    … they also reversed the decision of warrantless access. 

    The catch is they have to rewrite the Act to allow both those changes to be formalise, cause they wrote clauses in their own legislation to make it law that they could skip what was standard legislations for whole of government.

    If your writing your own legislation, maybe consult with people, get opinions not only at the draft but also at milestones and before go-live, cause it’s a bit late to be consulting people on things you deliberately avoided now!


  • Hackers will access your GP’s computer far more easily than the national system. No computer based system is secure. Maybe we need sub dermal chips like our pets.

  • What is so special about your health data being potentially accessed by an unauthorized individual, over other services such as your email/bank accounts/facebook/etc?

    Of course I am not discounting the fact that it is sensitive information, but currently, if information is sitting locally on GP’s Windows XP desktops, do you really feel more secure? And what about all the hospital equipment running embedded versions of Windows XP, directly accessible via the internet?

    As a government agency, they are also bound by audits and other standards, thus, the data in theory, should be more rigorously protected.

    In addition, services such as emergency access most likely has built in alerting, such that, if this method is used to access a record, internal operation teams + the end user would be notified to investigate and approve/deny the access – you can’t comment on a closed source solution/application and say it is fulls of holes without understanding it’s capability and reviewing operational processes and procedures.

    This system will greatly help those who use medical services often, and who use multiple ones, such as emergency rooms etc. It also would assist to curb drug addiction as medical staff should be able to identify what medication you are currently on, when it was prescribed, by who, why, etc.

    • When it is sitting with a GP here and there it isn’t a complete data set. So it is less valuable.
      The probpem with people accessing it is it could be sold to insurers. That might not be bad for you, but wait until your children go for cover and are denied because of some genetic disposition they found out that you have.

Show more comments

Log in to comment on this story!