This is a work in progress. While we strive for accuracy, some breach details may be incomplete or pending verification.

My Health Record

Summary

The My Health Record system, Australia's national digital health records platform, experienced a data breach in July 2018 during a critical period when the system was transitioning to an opt-out model. The breach occurred as concerns about privacy and security were already prominent in public debate. While exact details of the breach scale were not fully disclosed, the incident affected Australia's most sensitive government health database and raised serious questions about the security of centralised medical records.

What Happened

The My Health Record system experienced unauthorised access to patient health records through what appeared to be system misconfigurations or inadequate access controls. The breach occurred during a politically sensitive period when the federal government was transitioning the system from opt-in to opt-out, meaning all Australians would automatically have a digital health record created unless they actively chose to opt out.

The exact technical details of how unauthorised access occurred were not comprehensively disclosed, but reports indicated that access controls may not have been properly configured, potentially allowing individuals to view records they should not have been able to access. The timing amplified public concern, as millions of Australians were about to be enrolled automatically in the system.

Impact on Individuals

The breach affected individuals enrolled in My Health Record, with potential access to:

  • Medical histories: Diagnoses, treatments, and health conditions
  • Prescriptions: Medication records and pharmaceutical history
  • Specialist consultations: Records from various healthcare providers
  • Medicare information: Medicare numbers and healthcare service usage
  • Sensitive health data: Mental health records, sexual health information, substance use treatment

The compromise of health records creates unique harms:

  • Privacy violation: Medical information is among the most sensitive personal data
  • Discrimination risk: Health conditions could be used for employment or insurance discrimination
  • Psychological impact: Knowing intimate health details were accessed causes distress
  • Permanent sensitivity: Health information remains sensitive indefinitely
  • Trust erosion: Damaged confidence in sharing information with healthcare providers

Unlike financial data, health information cannot be changed or replaced, making breaches particularly harmful.

Public Response and Policy Impact

The breach occurred during intense public debate about My Health Record privacy and security:

  • Opt-out campaign affected: Privacy advocates used the breach to highlight risks of automatic enrolment
  • Deletion requests surged: Hundreds of thousands of Australians opted out or deleted records
  • Parliamentary scrutiny: Senate inquiries examined the breach and system security
  • Policy changes: Government implemented additional privacy protections in response to concerns
  • Healthcare provider concerns: Medical professionals questioned the security of the centralised system

Government Response

The Australian Digital Health Agency and Department of Health responded by:

  • Investigating the unauthorised access incidents
  • Implementing enhanced access controls and monitoring
  • Strengthening authentication requirements for healthcare providers
  • Increasing audit logging and breach detection capabilities
  • Conducting security reviews of the entire system
  • Engaging the Office of the Australian Information Commissioner

Additional legislative changes were made to strengthen privacy protections, including:

  • Limiting law enforcement access without warrants
  • Enhancing patient control over record access
  • Strengthening penalties for unauthorised access
  • Improving transparency around access logs

Long-term Implications

The My Health Record breach had lasting effects on Australia's digital health infrastructure:

  • Public trust: Significant erosion of confidence in government health IT systems
  • Adoption rates: Lower-than-expected uptake as many Australians opted out
  • Policy framework: Led to stronger privacy and security requirements for government health systems
  • Healthcare digitisation: Slowed momentum for other digital health initiatives

The incident remains a reference point in debates about centralised health data systems and the balance between healthcare efficiency and privacy protection.

Verification Source: View original statement