They created health records for 23 million Australians without asking. Police could read them without a warrant. The opt-out page used Google reCAPTCHA. Half the records are empty. It cost $2 billion.
My Health Record is Australia's national digital health record system. Run by the Australian Digital Health Agency (ADHA), it holds medical data for 23.8 million Australians — over 90% of the population. GP visits, prescriptions, pathology results, hospital discharges, immunisations, and diagnostic imaging.[1]
It was originally opt-in. After six years and $1.15 billion, only 5.8 million people had signed up — one in five Australians.[2]
So the government made it opt-out.
In 2018, the government switched My Health Record from opt-in to opt-out. If you didn't actively refuse during a window that ran from July 2018 to January 2019, a record was automatically created for you.[3]
On day one, the website crashed. Phone wait times hit 1.5 hours. Support staff were told to "punch people's details into the website." Prime Minister Malcolm Turnbull confirmed the glitch.[4]
Near the deadline, the helpline crashed again. The ADHA blamed a "minor technical issue" and told callers to try after 2pm.[5]
The opt-out portal embedded Google reCAPTCHA — sending behavioural data to Google by design. To protect your medical privacy from the government, you had to give data to Google first. The ADHA stated "there is no sharing of data with third parties." reCAPTCHA sends data to Google by definition.[6]
2,517,921 Australians opted out — a 9.9% opt-out rate. Another 287,995 cancelled existing records. The advertising campaign to promote the opt-out blew out from $5.45 million to $10.45 million after the deadline was extended.[3]
The remaining 21 million got a health record whether they wanted one or not.
"Under no circumstances will records be released without a court or coronial order."[7] — Health Minister Greg Hunt
The Parliamentary Library checked the actual law and said he was wrong.[8]
Section 70 of the My Health Records Act 2012 allowed the System Operator (ADHA) to disclose health information to law enforcement whenever it "reasonably believed" disclosure was "reasonably necessary" for preventing, detecting, or investigating criminal offences. No warrant. No court order. No judicial oversight.[9]
The ADHA said it had an internal policy of requiring court orders. But internal policy has no legislative backing — it could be changed at any time, by anyone, without telling you.[10]
The My Health Records Amendment (Strengthening Privacy) Act 2018 was passed after public backlash. It required court orders for police access, enabled permanent deletion, prohibited insurer and employer access, and increased penalties to 5 years' jail and $315,000 fines.[11]
The Australian Privacy Foundation's response: "The Australian people cannot rely on this or any future government to properly protect the privacy and security of their health data." Legislation can be "increased and, just as easily, weakened."[10]
In August 2016, the Department of Health published "de-identified" medical billing records of 2.9 million Australians — 10% of the population — on data.gov.au. One billion lines of data covering 1984 to 2014.[12]
University of Melbourne researchers Vanessa Teague, Chris Culnane, and Benjamin Rubinstein decrypted every service provider ID in the MBS dataset. They re-identified patients using as few data points as childbirth dates.[12]
The dataset was taken offline the same day the researchers notified the department.[13]
Rather than fix the anonymisation, the government attempted to criminalise re-identification research — proposing 2 years' imprisonment for anyone who re-identified publicly released data. The researchers warned this would chill security research. Dr Teague: "Open publication of de-identified records like health, census, tax or Centrelink data is bound to fail."[12]
In their 2018 Senate submission, the researchers warned: the identifiable MBS-PBS data is "a resource that an attacker could leverage in My Health Record re-identification." Cross-referencing with commercially available datasets (pharmacy purchases, bank billing data) could further enable identification.[14]
The "break the glass" emergency access function — meant for life-threatening situations — was used 6,557 times in 2022. The OAIC found:[15]
The OAIC assessed 20 GP clinics and found:[15]
The Health Minister called it "military-grade security."[7]
Conservative estimate of total My Health Record spending:[16]
The National Infrastructure Operator contract with Accenture started at $47 million in 2012. It grew to $746 million through repeated extensions. The ANAO audit found:[17]
The Productivity Commission estimated better use could save hospitals $5.4 billion per year. But "no one, in or out of government, has made a business case for My Health Record that uses actual numbers."[22]
Before 2018, "deleting" your record was theatre. It was "removed from view" but retained — for 30 years after death, or 130 years after birth if the death date was unknown.[11]
The 2018 amendment enabled permanent deletion. "No archived copy or backup will be kept."[11]
But: every GP, hospital, specialist, and pharmacist who accessed your record has their own copy. The delete button removes the central record. It does not recall the data already distributed across the healthcare system.[23]
If you share a Medicare card with an abusive partner, they can see where you sought medical treatment — including visits to DV services, sexual health clinics, or mental health providers. Clinical documents may contain your address. Medicare auto-upload shows which clinics you visited.[24]
A Senate committee recommended extending the ability to suspend records for DV protection. The government "noted" the recommendation — the bureaucratic equivalent of reading it and doing nothing.[25]
A pseudonym option exists. You have to know it exists, call a helpline, and navigate the process yourself.[24]
The Health Legislation Amendment (Modernising My Health Record — Sharing by Default) Act 2025 made test result sharing mandatory:[26]
HIV-positive Australians — a community that has faced decades of discrimination — now have their viral load automatically uploaded to a centralised government health database. Patients can opt out, but providers must document exceptions and keep records for two years. The system that started as "voluntary" now fines doctors who don't upload your results.[26]
The health burden for First Nations people is 2.3 times that of non-Indigenous Australians — exactly the population that would benefit most from better health data sharing.[27]
But Indigenous Allied Health Australia acknowledges that "information provided by and about Aboriginal and Torres Strait Islander people and communities has not always been treated respectfully, or used in ways that engage or benefit those people."[27]
Karl Briscoe, CEO of NATSIHWA: "It doesn't surprise me that a lot of people are opting out just for the mere fact that there's a risk of their information being hacked."[28]
Indigenous primary health care organisations are developing their own data governance under Closing the Gap Priority Reform 4. The system that could help the most is trusted the least by the people who need it most.[27]
As of June 2025, the OAIC "had not opened investigations into any complaints received during the reporting period and made no determinations under the Privacy Act in relation to compliance with the My Health Records Act."[29]
The enforcement guidelines are sunsetting April 2026. The ANAO found privacy risk assessments hadn't been updated since 2017. The ADHA board received cybersecurity briefings only 4 times between July 2016 and February 2019.[30]
A system holding the medical records of 23 million Australians operates under the assumption that nobody will check if the rules are being followed — because nobody does.
There is "little evidence that enforcement has required use of criminal or civil penalties."[31]
| Law | Section | Requires | What happened | Assessment |
|---|---|---|---|---|
| My Health Records Act 2012 | s 70 | Reasonable belief for law enforcement disclosure | Minister claimed court order required; law said otherwise. Fixed only after backlash. | Was breach |
| Privacy Act 1988 | APP 1.4 | Clear, accurate privacy policy | Google reCAPTCHA on opt-out page not disclosed as third-party data collection. | Probable |
| Privacy Act 1988 | APP 11.1 | Reasonable steps to protect | GP passwords under 10 chars. No remote access policies. Emergency access unmonitored. | Probable |
| My Health Records Rule 2016 | Rule 42(6) | Annual security policy review | 5 of 20 GP clinics had no containment in breach policies. OAIC found widespread non-compliance. | Probable |
| DDA 1992 | s 6, s 24 | Cannot discriminate in services; covers govt | Opt-out required digital literacy, internet access, and ID documents many lack. | Strong case |
| RDA 1975 | s 9 | Acts with discriminatory effect | Indigenous Australians face disproportionate barriers to exercising data rights. | Strong case |
| ADA 2004 | s 15, s 28 | Cannot impose age-disadvantaging conditions | Digital-only opt-out and management excludes elderly Australians. | Strong case |
| Privacy Act 1988 | s 13G | Penalty: serious interference | Up to $50,000,000. OAIC has never acted on MHR complaints. | Never enforced |