The Claim
“Rolled out the My Health Record to the whole country as an opt-out system, despite safety concerns about how abusive stalkers can use it, and despite the trial involving 9 security breaches. 42 more security breaches happened within weeks of the system being rolled out nationally.”
Original Sources Provided
✅ FACTUAL VERIFICATION
Trial Phase and Initial Breaches
The trial phase of My Health Record ran from January 2016 in Far North Queensland and NSW Nepean Blue Mountains, involving approximately 1 million participants [1]. The claim references "9 security breaches" during the trial. According to available records, there were 35 breach notifications reported during the 2016-17 period, which covered both the trial phase and the early rollout implementation [2]. The specific figure of "9" does not match documented records, though the existence of security breaches during this period is confirmed.
The 42 Breaches Claim
The claim that "42 more security breaches happened within weeks of the system being rolled out nationally" is partially accurate but significantly misleading in its timeframe. The Australian Digital Health Agency (ADHA) reported 42 data breaches between July 1, 2017, and June 30, 2018 [2]. However, this 12-month period does not represent "within weeks" of the October 15, 2018 national rollout to opt-out; rather, many of these breaches occurred before the system-wide changeover. The rollout commenced gradually, and the 12-month timeframe covers a broader period than suggested by the claim [3].
Nature of Reported Breaches
Critically, the ADHA explicitly stated "There have been no purposeful or malicious attacks compromising the integrity or security of the My Health Record system" [2]. Of the 42 reported breaches during this period:
- 17 involved intertwined records (two or more people using the same Medicare record)
- 22 involved attempted Medicare fraud (unauthorized claims appearing in records)
- 3 were reported to the Office of the Australian Information Commissioner (OAIC) [2]
These were primarily administrative and fraud-related issues rather than security breaches in the traditional sense (unauthorized system access, data exfiltration, etc.).
Opt-Out System Implementation
The claim accurately states that the system was converted to opt-out rather than opt-in. The Coalition government changed the My Health Record from an opt-in model (inherited from Labor's original Personal Controlled Electronic Health Record system) to opt-out on October 15, 2018 [4]. By September 2018, approximately 900,000 Australians had already opted out of the system [4].
Domestic Violence and Stalker Safety Concerns
The claim's reference to "safety concerns about how abusive stalkers can use it" is a legitimate and well-documented concern. Clinical documents in My Health Record may contain healthcare provider addresses and location information that could be misused by domestic violence perpetrators [5]. Several safeguards were officially implemented:
- Restriction codes to limit record access
- Option to register with a pseudonym
- Medicare upload control settings
However, privacy advocates raised concerns that these protections were not universally understood or consistently applied [5]. The concern that inadequate privacy protections could deter domestic violence survivors from seeking medical care is documented in privacy impact assessments [5].
Missing Context
The claim omits several important contextual elements:
Labor Created the Original System: The My Health Record system was originally developed by the Labor government as the "Personal Controlled Electronic Health Record" (PCEHR), launched July 1, 2012, with approximately $467 million invested [6]. The Coalition's contribution was rebranding it and changing from opt-in to opt-out, not creating a new system from scratch.
Lack of Malicious Attacks: The claim implies serious security vulnerabilities, but ADHA's explicit statement that there were "no purposeful or malicious attacks" indicates the reported breaches were administrative rather than security failures in the technical sense [2].
Timeline Misrepresentation: The 42 breaches occurred over a 12-month period (July 2017-June 2018), not "within weeks" of the October 2018 national rollout. This significantly misrepresents the severity and immediacy of the problem.
Parliamentary Response: Following safety concerns raised during the 2018 rollout, the Coalition government introduced the My Health Records Amendment (Strengthening Privacy) Bill 2018 (August 22, 2018) to prevent unauthorized government and law enforcement access without court order, demonstrating some responsiveness to privacy concerns [7].
Source Credibility Assessment
The original sources provided include News Mail (regional Australian news outlet) and Daily Mail UK (tabloid publication). Daily Mail is a mass-market tabloid known for sensationalism and has a history of both factual reporting and exaggeration depending on the story [8]. News Mail is a regional Queensland publication with less well-established national reputation for investigative journalism. Neither source is an authoritative primary source (government agency, parliamentary records, or independent audit).
The claim's phrasing ("despite the trial involving 9 security breaches...42 more...within weeks") uses alarmist language and implies a security crisis that ADHA's official statements do not support. This framing suggests the original sources may have prioritized attention-grabbing headlines over precise representation of breach types and timelines.
Labor Comparison
Did Labor create or propose a similar health records system?
Yes, the Labor government created the original personal health records system. The Personal Controlled Electronic Health Record (PCEHR) was launched by the Rudd-Gillard Labor government on July 1, 2012, with $467 million in investment [6]. The key difference in approach was model design: Labor's PCEHR was opt-in (voluntary), meaning individuals had to actively register to have a record created [6]. The Coalition government inherited this system and rebranded it as "My Health Record" while changing it to opt-out in October 2018 [4].
Comparison of approach: The systemic concern about privacy and security is not unique to the Coalition—both parties had to grapple with managing millions of health records in a digital system. Labor's opt-in model meant fewer people were enrolled, which may have reduced exposure to privacy risks but also meant lower health system integration. The Coalition's opt-out model prioritized health system efficiency and integration but increased privacy exposure for all Australians regardless of individual preference [4].
Balanced Perspective
Coalition's Justification: The shift to opt-out was framed as improving healthcare outcomes by ensuring more comprehensive health data integration and accessibility for treating clinicians. An opt-out system with 900,000+ initial opt-outs still achieved broad population coverage while allowing those with privacy concerns to withdraw [4].
Legitimate Privacy Concerns: The safety risks for domestic violence survivors and abuse victims are real and documented. The existence of provider location information in clinical notes creates genuine privacy risks for people fleeing abusive situations [5]. These concerns were raised by victim support organizations and privacy advocates during the rollout period.
Nature of the Breaches: While 42 breaches sound alarming, ADHA's classification and statement that no malicious attacks occurred suggests these were operational issues (wrong record access, fraud attempts flagged by the system itself) rather than security infrastructure failures or data theft [2]. This is an important distinction—the system flagged problems rather than failing to detect them.
Process and Response: The Coalition government did respond to privacy concerns raised during the rollout by introducing amendments to prevent government and law enforcement access without court order, showing some responsiveness to legitimate concerns [7]. However, critics argue the initial rollout was rushed and safety concerns were not adequately addressed before implementation.
Key context: While the Coalition changed the system from opt-in to opt-out, the foundational architecture and many of the security challenges were inherited from Labor's original design. The real policy debate is about whether opt-in versus opt-out better serves both healthcare outcomes and privacy protection—a legitimate disagreement between parties rather than a unique Coalition failure.
PARTIALLY TRUE
6.5
out of 10
The claim contains accurate elements (security breaches did occur, opt-out system was implemented, domestic violence safety concerns are real) but significantly misrepresents the nature and severity of the security issues and the timeframe of breaches. The "9 breaches during trial" figure does not match documented records (35 reported in 2016-17), and the "42 breaches within weeks of rollout" misrepresents a 12-month period and downplays ADHA's explicit statement that no malicious attacks occurred. The framing creates an impression of a severe security crisis rather than an operational health system grappling with privacy and administrative challenges.
Final Score
6.5
OUT OF 10
PARTIALLY TRUE
The claim contains accurate elements (security breaches did occur, opt-out system was implemented, domestic violence safety concerns are real) but significantly misrepresents the nature and severity of the security issues and the timeframe of breaches. The "9 breaches during trial" figure does not match documented records (35 reported in 2016-17), and the "42 breaches within weeks of rollout" misrepresents a 12-month period and downplays ADHA's explicit statement that no malicious attacks occurred. The framing creates an impression of a severe security crisis rather than an operational health system grappling with privacy and administrative challenges.
📚 SOURCES & CITATIONS (8)
-
1
digitalhealth.gov.au
Digitalhealth Gov
-
2
digitalhealth.gov.au
Digitalhealth Gov
-
3
cyware.com
Cyware
Original link unavailable — view archived version -
4
spectrum.ieee.org
A wave of opt-outs highlights distrust in the government’s security and privacy promises
IEEE Spectrum -
5
privacy.org.au
Privacy Org -
6
digitalhealth.gov.au
Digitalhealth Gov
-
7
parlinfo.aph.gov.au
Parlinfo Aph Gov
-
8
ipso.co.uk
IPSO - the Independent Press Standards Organisation - is the independent regulator for the UK digital and print news industry.
IPSO
Rating Scale Methodology
1-3: FALSE
Factually incorrect or malicious fabrication.
4-6: PARTIAL
Some truth but context is missing or skewed.
7-9: MOSTLY TRUE
Minor technicalities or phrasing issues.
10: ACCURATE
Perfectly verified and contextually fair.
Methodology: Ratings are determined through cross-referencing official government records, independent fact-checking organizations, and primary source documents.