There have been no reported unauthorised views of a person’s health information in My Health Record in the six years of its operations. More than 6.3 million people have a My Health Record.
The Australian Digital Health Agency (the Agency), which was established in July 2016, has a legal responsibility under the My Health Records Act 2012 to report ‘notifiable data breaches’ to the Office of the Australian Information Commissioner (OAIC). These ‘notifiable data breaches’ have been routinely reported by the Agency and the Department of Human Services which runs the identity scheme which underpins My Health Record to the OAIC. These reports are published annually by the OAIC. Details are also described on page 59 of the Agency’s 2017-2018 Annual Report. Errors of this type occur due to either alleged fraudulent Medicare claims or manual human processing errors, as was the case for the breaches reported during the 2017-2018 financial year. There has been no reported unauthorised viewing of any individual’s health information from a ‘notifiable data breach’.
In each case, the affected individuals have been contacted and the OAIC has examined the circumstances of the breach and no unauthorised breach has been determined. In all instances of data breaches reported by the Chief Executive Medicare, the Department of Human Services took action to correct the affected My Health Records.
When a person’s health information is stored in different places – hospitals, doctors’ offices, filing cabinets, computers – they don’t know who is accessing it or when. In a My Health Record, every access is listed in a persons’ record access history. A person can be notified by text message about who is accessing their record or restrict access to all or parts of their record.
If a person feels someone has looked at their record when they shouldn’t have, they can call on 1800 723 471 and the Agency will investigate immediately. It is criminal for someone to have unauthorised access to a record, and serious penalties apply.