Following the HealthEngine scandal in 2018, and the recent use of Pharmaceutical Benefits Scheme (PBS) data to assist recruitment into research on Bipolar disorder, a Twitter user on Friday 23 August shared a SMS message attempting to recruit him into a clinical trial.  

This appears to have occurred through the use of a health data platform. Research by digital rights organisations today revealed that sensitive patient details—including contact details, demographics and complete medical histories—can be shared with a wide range of partners, including, it appears, private health insurers.

Dr Trent Yarwood, health spokesperson for Future Wise and a medical specialist, said “Secondary uses like this are a very ethically murky area. People don’t generally expect to have personal details from their healthcare providers made available to anyone, even if well intentioned.”

The terms and conditions of some applications include access to data from myHealthRecord. “While the My Health Records Act includes privacy provisions, once this data is accessed by an external system, these provisions no longer apply,” continued Dr Yarwood. “I’m very concerned that practices making use of this system are not aware of just how widely this data can be shared—and that they are expected to fully inform patients of the nature of the data use,” he concluded.

“This kind of barely-controlled data sharing is only possible because of how little privacy protection is provided by the current legislation,” said Justin Warren, Electronic Frontiers Australia board member. 

“People have made it clear time and time again that information about their health is extremely personal, private, and they expect it to be kept secure, not shared with all and sundry,” he said. “What people think is happening is quite different to what actually is, and these companies are risking catastrophic damage to patient trust with their lust for data.”

“If you found out your doctor was sharing your full medical history with private health insurers, or the police, would you keep seeing them?” he added.

Robust privacy protections are needed for all Australians, such as by finally giving us the right to sue for breach of privacy, requiring explicit consent for each disclosure of medical or health data to a third party, and proper auditing of record-access that is visible to the patient. It is imperative that the risks of health data sharing receive greater attention.