The Australian My Health Record initiative is expected to take off in early 2019. Australians have been given until 31 January 2019 to opt-out before an account is automatically created for them. But, while this provides patients and healthcare providers with a more convenient way to manage and share patient data, it also raises many controversial privacy concerns. A significant issue that is expected to arise is the increase in privacy breaches. This is a result of employee negligence or spying, leaving electronic health records (EHR) vulnerable to illicit access.
It is quite common among healthcare organisations to have a very careless security culture, with professionals sharing logins or leaving their accounts open on unattended computers for a long period of time. This leaves them vulnerable to others who can inappropriately search for anyone's EHR without valid reasons and without being monitored. While the Australian Digital Health Agency (ADHA) has said that patients can know who has accessed their records, healthcare workers have said that it may be hard to know who exactly did so.
A spokesperson for the ADHA stated that "All hospitals have a responsibility and requirement to protect the privacy and security of patients' data regardless of whether it's held on their own systems or contained on my health record." However, the common method of issue for providers is to give employees generic passwords for login access. A 2017 survey by the Health Informatics Society Australia revealed that over 60 percent of healthcare workers in both private and public hospitals had some shared or generic login information.
A former nurse told the ABC that in his previous workplace, sometimes generic passwords were used and even stuck on computers to simplify the workflow. Such habits are what make identifying who accessed a record difficult. This leaves patients exposed and vulnerable to anyone who wants to abuse the My Health Record System for a selfish, or even, illegal purpose.
As of February, 13 health workers have been fired and 26 have been disciplined for inappropriately accessing patient records.
In order to combat such breaches, the ADHA monitors the system for unauthorised access to EHR with the punishment consisting of "up to two years in jail and up to $126,000 in fines."