Alleged data theft by HealthEngine leaves hundreds of thousands of Australians vulnerable

Perhaps now is the time for readers to check who owns the company they might use to make medical appointment online.

ABC News, 8 August 2019: 

Australia's biggest medical appointment booking app HealthEngine is facing multi-million-dollar penalties after an ABC investigation exposed its practice of funnelling patient information to law firms. 

The Australian Competition and Consumer Commission has launched legal action against the Perth-based company in the Federal Court, accusing it of misleading and deceptive conduct. 

In June last year, the ABC revealed HealthEngine was passing on users' personal information to law firms seeking clients for personal injury claims. 

The details of the deal were contained in secret internal Slater and Gordon documents that revealed HealthEngine was sending the firm a daily list of prospective clients at part of a pilot program in 2017.

PHOTO: A negative review on HealthEngine's app page complaining about contact from personal injury lawyers. (Supplied: Apple App Store) 

The ACCC has also accused the company of passing the personal information of approximately 135,000 patients to insurance brokers in exchange for payments.

"Patients were misled into thinking their information would stay with HealthEngine but, instead, their information was sold off to insurance brokers," ACCC chairman Rod Sims said in a statement.

The information sold included names, phone numbers, dates of birth and email addresses.

The ACCC has not said how much money the company earned form the arrangement.

The ABC revealed last year that HealthEngine had also boasted to advertisers that it could target users based on their symptoms and medical conditions. 

HealthEngine has also been accused of misleading consumers by manipulating users' reviews of medical practices. 

"We allege that HealthEngine refused to publish negative reviews and altered feedback to remove negative aspects, or to embellish it, before publishing the reviews," Mr Sims said. 

Among a range of examples, the ACCC alleges that one patient review was initially submitted as: "The practice is good just disappointed with health engine. I will call the clinic next time instead of booking online." 

But when that review was made public, it was allegedly changed to simply read: "The practice is good." 

HealthEngine is facing a fine of $1.1 million for each breach of the law, but the ACCC has yet to determine how many breaches it will allege....

Cartoons of the Week

@cathywilcox1

@davpope

The Abbott-Turnbull-Morrison Federal Government still hasn't made personal health data secure

Since about 2014 it has been known that the personal details of Medicare cardholders has been for sale on the dark web.

Despite an April 2014 report by the Australian National Audit Office that the Consumer Directory - which contains all Medicare customer records - was not secure and that cardholder details were for sale, the federal Liberal-Nationals Coalition Government does not appear to have comprehensively acted act on the issue of database security.

It was not unknown that Medicare cardholder details were being used fraudulently.

In 2016-17 Twenty notifications, involving 123 separate breaches, resulted from findings under the Medicare compliance program. In these instances, certain Medicare claims made in the name of a healthcare recipient but not by that healthcare recipient were uploaded to their My Health Record.

When contacted by the mainstream media in July 2017 the Liberal MP for Aston and then Minister for Human Services Alan Tudge denied any prior knowledge of cardholder details being offered for sale.

It was not reported that at the time if he was asked about instances of Medicare cardholder details being used to commit fraud or identity theft.

In August 2017 eHealth Privacy Australia was telling the Senate Finance and Public Administration Committee that:

• There are fundamental weaknesses in both the HPOS (Medicare card data) and My Health Records systems, which make them vulnerable to illegal access.

• Those weaknesses mean that fraudulent users of the systems can assume the identity of legitimate users to gain illegal access.

• It is not sufficient to mitigate these weaknesses in the My Health Records system.

By 1 January 2019 IT News was reporting that Medicare cardholder details fraudulently obtained had been used to access an individual’s My Health Record:

The number of data breaches involving the My Health Record system rose from 35 to 42 in the past financial year, new figures show.

The Australian Digital Health Agency (ADHA) said in its annual report [pdf] that “42 data breaches (in 28 notifications) were reported to the Office of the Australian Information Commissioner” in 2017-18.

As with previous years, the agency said that “no purposeful or malicious attacks compromising the integrity or security of the My Health Record system” were reported in the period.

Of the 42 breaches, one was the result of “unauthorised access to a My Health Record as a result of an incorrect Parental Authorised Representative being assigned to a child”, the agency reported.

A further two breaches were from “suspected fraud against the Medicare program where the incorrect records appearing in the My Health Record of the affected individual were also viewed without authority by the individual undertaking the suspected fraudulent activity”, ADHA said.

In addition, 17 breaches were the result of “data integrity activity initiated by the Department of Human Services to identify intertwined Medicare records (that is, where a single Medicare record has been used interchangeably between two or more individuals)”, the agency said. [my yellow highlighting]

Despite this knowledge the Abbott-Turnbull-Morrison Government has still not grasped the nettle, because on 16 May 2019 The Guardian reported:

Australians’ Medicare details are still being illegally offered for sale on the darknet, almost two years after Guardian Australia revealed the serious privacy breach.

Screenshots of the Empire Market, provided to Guardian Australia, show the vendor Medicare Machine has rebranded as Medicare Madness, offering Medicare details for $US21.

Other vendors charge up to $US340 by offering fake Medicare cards alongside other fake forms of identification – such as a New South Wales licence.

The Medicare Madness listing suggests the Medicare details “of any living Australian citizen” have been available since September 2018.

Guardian Australia first reported patient details were on sale in July 2017, verifying the listing by requesting the data of a Guardian staff member and warning that Medicare card numbers could be used for identity theft and fraud.

The revelation prompted a review lead by former secretary of the Department of Prime Minister and Cabinet Peter Shergold.

The report did not identify the source of the Medicare data leak but suggested that people could use publicly available information about healthcare providers – including their provider number and practice location – to pass security checks and obtain a Medicare card number through the Department of Human Services provider hotline.

The review panel warned the “current security check for release of Medicare card information provides a much lower level of confidence than the security requirements” for Health Professional Online Services, the portal that allows providers to make rebate claims.

An IT industry source, who refused to be named, said the re-emergence of the data breach brings into question government assurances around the privacy of medical data “when those responsible cannot even manage the security of Medicare cards”.

The source said there is a “concerted effort at the moment by law enforcement to curtail darknet market activity”.

“In reality the darknet markets, while disrupted momentarily when their sites are brought down, easily relocate and continue business.”

Darknet markets can simply private message existing clients with a new link to resume business elsewhere. [my yellow highlighting]

Thus far the federal government has failed to recognise where Medicare cardholder details may be being accessed unlawfully, as this 2 August 2018 ABC online article indicates:

Privacy experts have warned that the system opens up health records to more people than ever before, thereby increasing the threat surface — the number of vulnerabilities in a system — dramatically.

Dr Bernard Robertson Dunn, who chairs the health committee at the foundation, says once the data is downloaded into the health system, the My Health record system cannot guarantee privacy.

"Once the data has been downloaded to, for instance, a hospital system, the protections of the hospital system apply, and then the audit logs apply to the hospital system — not to My Health record.

"So there is no way the Government would know who has accessed that data, and it is untraceable and untrackable that that access has occurred."

Dozens of Centrelink clients have had their names published on Facebook by a Commonwealth-funded work-for-the-dole provider

ABC News, 26 April 2019:

Dozens of Centrelink clients have had their names published online in what has been described as a "shocking" abuse of privacy.

A Commonwealth-funded work-for-the-dole provider uploaded lists of people who were required to attend client meetings to a public Facebook page.

"We are at a loss as to why anyone would post about workers' appointments online," union official Lara Watson said.

"We were shocked at the publication of names on a social media platform."

The incidents are the latest to emerge from the Government's flagship remote employment scheme, the Community Development Programme (CDP).

Nearly 50 people from the Northern Territory community of Galiwinku, located 500 kilometres east of Darwin, were affected.

The job service provider, the Arnhem Land Progress Association (ALPA), established the social media page apparently with the intention of uploading such lists.

"Welcome to our Facebook page where we will be posting appointments, courses and CDP information," it wrote last month.

The two sheets of names were posted to the Galiwinku CDP page on March 11 and 12.

Both images were shared to another local Facebook group titled Elcho Island Notice Board, which has more than 2,000 members.

One CDP insider denounced the online uploads, saying they were unprecedented and could have placed job seekers at risk.

"If a person has a family violence order in place to protect them, then perhaps the perpetrator would know where she was," said the source, who requested anonymity.

"It advertised that a person is accessing welfare services, and unfortunately in Australia there's discrimination against people accessing welfare services.

"People can be bullied for being unemployed."

The Galiwinku CDP page appears to have since been removed from the internet but the organisation denied any wrongdoing.

"We do not believe that this is a breach of confidentiality," an ALPA spokeswoman said.....

"All ALPA CDP participants give … media consent when they commence as a participant."......

Facebook spends more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy – but refuses constructive action

“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions. Facebook should not get to decide what Canadian privacy law does or does not require.” [Canandian Privacy Commissioner  Daniel Therrien, 25 April 2019]

Facbook Inc. professes that it  has taken steps to ensure the intregrity of political discourse on its platform, but rather tellingly will not roll out transparency features in Australia that it has already rolled out in the US, UK, Eu, India, Israel and Ukraine.

The only measure it commits to taking during this federal election campaign is to temporarily ban people outside Australiabuying ads that Facebook determines are “political”.

To date it has not been prepared to move on dishonest actors in Australia who are active on its platform during the election campaign.

So it should come as no surprise that Canada issued this three page news release…….

Office of the Privacy Commission of Canada, news release, 25 April 2019:

Facebook refuses to address serious privacy deficiencies despite public apologies for “breach of trust”

Joint investigation finds major shortcomings in the social media giant’s privacy practices, highlighting pressing need for legislative reform to adequately protect the rights of Canadians

OTTAWA, April 25, 2019 – Facebook committed serious contraventions of Canadian privacy laws and failed to take responsibility for protecting the personal information of Canadians, an investigation has found.

Despite its public acknowledgement of a “major breach of trust” in the Cambridge Analytica scandal, Facebook disputes the investigation findings of the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia. The company also refuses to implement recommendations to address deficiencies.

“Facebook’s refusal to act responsibly is deeply troubling given the vast amount of sensitive personal information users have entrusted to this company,” says Privacy Commissioner of Canada Daniel Therrien. “Their privacy framework was empty, and their vague terms were so elastic that they were not meaningful for privacy protection.

“The stark contradiction between Facebook’s public promises to mend its ways on privacy and its refusal to address the serious problems we’ve identified – or even acknowledge that it broke the law – is extremely concerning.”

“Facebook has spent more than a decade expressing contrition for its actions and avowing its commitment to people’s privacy,” B.C. Information and Privacy Commissioner Michael McEvoy says, “but when it comes to taking concrete actions needed to fix transgressions they demonstrate disregard.”

Commissioner McEvoy says Facebook’s actions point to the need for giving provincial and federal privacy regulators stronger sanctioning power in order to protect the public’s interests. “The ability to levy meaningful fines would be an important starting point,” he says.

The findings and Facebook’s rejection of the report’s recommendations highlight critical weaknesses within the current Canadian privacy protection framework and underscore an urgent need for stronger privacy laws, according to both Commissioners.

“It is untenable that organizations are allowed to reject my office’s legal findings as mere opinions,” says Commissioner Therrien.

In addition to the power to levy financial penalties on companies, both Commissioners say they should also be given broader authority to inspect the practices of organizations to independently confirm privacy laws are being respected. This measure would be in alignment with the powers that exist in the U.K. and several other countries.

Giving the federal Commissioner order-making powers would also ensure that his findings and remedial measures are binding on organizations that refuse to comply with the law. 

The complaint that initiated the investigation followed media reports that Facebook had allowed an organization to use an app to access users’ personal information and that some of the data was then shared with other organizations, including Cambridge Analytica, which was involved in U.S. political campaigns.

The app, at one point called “This is Your Digital Life,” encouraged users to complete a personality quiz. It collected information about users who installed the app as well as their Facebook “friends.” Some 300,000 Facebook users worldwide added the app, leading to the potential disclosure of the personal information of approximately 87 million others, including more than 600,000 Canadians.

The investigation revealed Facebook violated federal and B.C. privacy laws in a number of respects. The specific deficiencies include:

Unauthorized access

Facebook’s superficial and ineffective safeguards and consent mechanisms resulted in a third-party app’s unauthorized access to the information of millions of Facebook users. Some of that information was subsequently used for political purposes.

Lack of meaningful consent from “friends of friends”

Facebook failed to obtain meaningful consent from both the users who installed the app as well as those users’ “friends,” whose personal information Facebook also disclosed.

No proper oversight over privacy practices of apps

Facebook did not exercise proper oversight with respect to the privacy practices of apps on its platform.  It relied on contractual terms with apps to protect against unauthorized access to user information; however, its approach to monitoring compliance with those terms was wholly inadequate.

Overall lack of responsibility for personal information

A basic principle of privacy laws is that organizations are responsible for the personal information under their control. Instead, Facebook attempted to shift responsibility for protecting personal information to the apps on its platform, as well as to users themselves.

The failures identified in the investigation are particularly concerning given that a 2009 investigation of Facebook by the federal Commissioner’s office also found contraventions with respect to seeking overly broad, uninformed consent for disclosures of personal information to third-party apps, as well as inadequate monitoring to protect against unauthorized access by those apps.

If Facebook had implemented the 2009 investigation’s recommendations meaningfully, the risk of unauthorized access and use of Canadians’ personal information by third party apps could have been avoided or significantly mitigated.

Facebook’s refusal to accept the Commissioners’ recommendations means there is a high risk that the personal information of Canadians could be used in ways that they do not know or suspect, exposing them to potential harms.

Given the extent and severity of the issues identified, the Commissioners sought to implement measures to ensure the company respects its accountability and other privacy obligations in the future. However, Facebook refused to voluntarily submit to audits of its privacy policies and practices over the next five years.

The Office of the Privacy Commissioner of Canada plans to take the matter to Federal Court to seek an order to force the company to correct its privacy practices.

The Office of the Information and Privacy Commissioner for B.C. reserves its right under the Personal Information Protection Act to consider future actions against Facebook.  

Related documents:

Report of Findings

Chart: Facebook findings highlight the need for legislative reform

Remarks by the Privacy Commissioner of Canada regarding the Facebook/Cambridge-Analytica investigation

* Note: my yellow highlighting

Nor should this alleged 'mistake' made by Facebook cause surprise.......

The New York Times, 25 April 2019:

SAN FRANCISCO — The New York State attorney general’s office plans to open an investigation into Facebook’s unauthorized collection of more than 1.5 million users’ email address books, according to two people briefed on the matter.

The inquiry concerns a practice unearthed in April in which Facebook harvested the email contact lists of a portion of new users who signed up for the network after 2016, according to the two people, who spoke on condition of anonymity because the inquiry had not been officially announced.

Those lists were then used to improve Facebook’s ad-targeting algorithms and other friend connections across the network.

The investigation was confirmed late Thursday afternoon by the attorney general’s office.

“Facebook has repeatedly demonstrated a lack of respect for consumers’ information while at the same time profiting from mining that data,” said Letitia James, the attorney general of New York, in a statement. “It is time Facebook is held accountable for how it handles consumers’ personal information.”…

Users were not notified that their contact lists were being harvested at the time. Facebook shuttered the contact list collection mechanism shortly after the issue was discovered by the press…..

Facebook Inc's rapacious business practices has been the death of online privacy and now threatens the democratic process.

The relentless drive by Australian federal and state governments to create unsafe data collection and retention systems continues unabated

The Sydney Morning Herald, 26 January 2019:

More than 1 million Australians have had their name and address added to the electoral roll and then automatically passed to global marketing giants without their knowledge.

Direct enrolment laws passed by Parliament in 2012 meant Australians no longer had to register on the electoral roll to have their details entered, with information of workers and school students scanned from drivers licences, Centrelink and records from the Board of Studies in each state.

The electoral roll has since been handed over to credit-check operators for identification purposes designed to help financial services firms such as banks, Afterpay and Zip, to run fraud, anti-money laundering and anti-terrorism checks, but four of those identity firms are now running global marketing operations using data analytics.

No government body has been able to advise if anyone is monitoring the companies for breaches of the electoral act, which carries fines for using the data in commercial operations, or if they are monitoring the separation of data between the companies' identification and marketing arms.

The Sydney Morning Herald and The Age revealed this week that AXCIOM, Experian, Global Data and illion (formerly known as debt collectors Dun & Bradstreet) all have access to the electoral roll as "prescribed authorities". In their secondary businesses, each boasts of their ability to provide marketing data analytics on millions of Australians to their clients but maintain they are in full compliance with the privacy act and do not use the data for marketing purposes.

AXCIOM and Global Data have not responded to multiple requests for comment. An auto-reply email from AXCIOM said "data monetisation awaits!"

The only non-marketing firm among the group, US credit check giant Equifax, had the records of 145.5 million hacked in a breach in 2017 was fined $3.5 million by the Federal Court last year for misleading, deceptive and unconscionable conduct…..

….database that contains information on 16 million Australians. More than 1.5 million Australians who were eligible to vote - but not on the electoral roll - are likely to have been added since the laws passed.

School students as young as 16 have been caught up in the data transfer, with more than 18,846 people aged 16 and 17 provisionally on the electoral roll as of December 31.

Prime Minister Scott Morrion's bullying of single mothers increases

The Guardian, 28 January 2019:

Single mothers placed on a compulsory welfare program for disadvantaged parents allege they were pressured into allowing private job service providers to collect their “sensitive information”.

ParentsNext participants are asked to sign a privacy notification and consent form, which is similar to documentation provided to those on other welfare programs such as the employment scheme Jobactive.

The program is compulsory for those who want to receive parenting payments and are considered “disadvantaged”, but departmental guidelines state that participants may decline to sign the form and still take part.

Instead, some case workers have told participants that they would have their payments cut if they refused to sign the form.

The situation has meant women who did not want to give their consent have done so anyway. One of the five participants who spoke to Guardian Australia about their experience said they felt the situation represented “coercion”.

“She [my case worker] just said, flat out, ‘If you don’t sign it, you won’t get your parenting payment’,” one mother, who did not want to be named, told Guardian Australia. “It was simple as that.”

The women were concerned by the fact the privacy form states that providers “may collect sensitive information … [which] may include … medical information”. It is understood the form would allow providers to handle participants’ mental health information.

Parenting payment is the sole income for many women on the ParentsNext program, which is currently the subject of a Senate inquiry.

While is standard practice for welfare recipients to be asked to sign privacy consent and notification forms, the chairman of the Australian Privacy Foundation, David Vaile, noted that, in this case, the women felt they needed to sign the form in order to keep receiving their payments.

“It has all the characteristics of bad consent,” Vaile said.

Ella Buckland, who has been campaigning against ParentsNext since she was placed on the program, has asked her provider to destroy the consent form she signed last year. She was told she needed to sign the form to take part in the program – and therefore keep her payments.

“I felt humiliated and disempowered that I didn’t have a choice,” Buckland, a former Greens staffer, told Guardian Australia. “[I thought] if I didn’t sign it, I wouldn’t be able to feed my kids.”

The department has told Buckland in writing she may withdraw her consent at any time. Her provider, who did not reply to a request for comment, has been asked by the Department of Jobs and Small Business to respond to her claims.

Terese Edwards, the chief executive of the National Council of Single Mothers and their Children, said many women had legitimate reasons for refusing to sign the form, such as having left a violent relationship.

 “Providing this information reduces their sense of security,” she said. “It could be where the child is getting schooled, which then has the address of the parent. It could also have the name of the child.”

Among the women Guardian Australia has spoken is a mother of a transgender child who did not want to sign the form because she was concerned about the privacy of her daughter.

Eva* is eligible for an exemption from the program because she homeschools her daughter, but was told in a text message she would have to sign the consent form for this to be processed. She was also told she would have to attend a meeting with her provider, about two hours’ drive away, and to provide evidence that her daughter was homeschooled......

ParentsNext privacy notific... by on Scribd

Quotes of the Week

“in the Liberal Party, the problem is intellectual honesty, intellectual capacity, courage and integrity. Liberal Party politicians are not even game to attempt ideological coherence in their public pronouncements. They prefer simplistic slogans, message manipulation, outright lies, and varying levels of verbal bullying”  [Academic and blogger Ingrid Matthews writing in oecomuse, 27 November 2018]

“I note, and accept, advice that there is nothing in the bill that would abrogate parliamentary privilege. However, the main issue with covert access in relation to privilege … is that there would be no opportunity for a parliamentarian who considers that material is protected by privilege to raise such a claim.”  [ Speaker of the Australian Senate, Senator Scott Ryan, quoted in The Guardian, 29 November 2018]

Yet other digital privacy betrayals

The global situation......

The Guardian, 14 November 2018:

Google has been accused of breaking promises to patients, after the company announced it would be moving a healthcare-focused subsidiary, DeepMind Health, into the main arm of the organisation.

The restructure, critics argue, breaks a pledge DeepMind made when it started working with the NHS that “data will never be connected to Google accounts or services”. The change has also resulted in the dismantling of an independent review board, created to oversee the company’s work with the healthcare sector, with Google arguing that the board was too focused on Britain to provide effective oversight for a newly global body.

Google says the restructure is necessary to allow DeepMind’s flagship health app, Streams, to scale up globally. The app, which was created to help doctors and nurses monitor patients for AKI, a severe form of kidney injury, has since grown to offer a full digital dashboard for patient records.

“Our vision is for Streams to now become an AI-powered assistant for nurses and doctors everywhere – combining the best algorithms with intuitive design, all backed up by rigorous evidence,” DeepMind said, announcing the transfer. “The team working within Google, alongside brilliant colleagues from across the organisation, will help make this vision a reality.”

DeepMind Health was previously part of the AI-focused research group DeepMind, which is officially a sibling to Google, with both divisions being owned by the organisation’s holding company Alphabet.

But the transfer and vision for Streams looks hard to reconcile with DeepMind’s previous comments about the app. In July 2016, following criticism that the company’s data-sharing agreement with the NHS was overly broad, co-founder Mustafa Suleyman wrote: “We’ve been clear from the outset that at no stage will patient data ever be linked or associated with Google accounts, products or services.”

Now that Streams is a Google product itself, that promise appears to have been broken, says privacy researcher Julia Powles: “Making this about semantics is a sleight of hand. DeepMind said it would never connect Streams with Google. The whole Streams app is now a Google product. That is an atrocious breach of trust, for an already beleaguered product.”......

Here in Australia......

Canberra Times, 15 November 2018, p.8:

The chairman of the agency responsible for the bungled My Health Record rollout has been privately advising a global healthcare outsourcing company. Fairfax Media discovered the relationship between the UK-based company Serco and the Australian Digital Health Agency (ADHA) chairman Jim Birch after obtaining a number of internal documents.

The revelation comes as Health Minister Greg Hunt was forced to extend the My Health Record opt- out period after a compromise deal with the Senate crossbench and a last-minute meltdown of the website left thousands of Australians struggling to meet the original deadline. 

Since April 2016, Mr Birch has been ADHA chairman with oversight of My HealthRecord, the online summary of key health information of millions of Australians. Documents from the ADHA, released under freedom of information laws, show Mr Birch registered his work for Serco in November 2017, but the relationship was never publicly declared.

After Fairfax Media submitted questions last week on whether the relationship posed a conflict of interest, Mr Birch quit the advisory role.

Serco has won a number of multibillion-dollar government contracts to privately run - and in some cases deliver healthcare in - some of Australia's prisons, hospitals and detention centres.

The ability of Serco to navigate the controversial area of digital health records would be invaluable to any future expansion plans.

A spokeswoman for federal Health Minister Greg Hunt said all board members had declared their interests.

"Board members do not have access to system operations, and board members cannot be present while a matter is being considered at a board meeting in which the member has an interest," she said.

Lisa Parker, a public health ethics expert at University of Sydney, said the public had been asked to trust the agency is acting in its best interests. She said they should make public any information relevant to that trust…..

The register also shows Mr Birch knows the chief executive of start-up Personify Care, Ken Saman, and has been giving him advice since August last year. The software company recently released "Personify Connect", a product that provides hospitals with "seamless integration" of its original patient monitoring platform with My Health Record.

Despite being scheduled to speak at a "Personify Care breakfast seminar" later this year, Mr Birch has never publicly declared this interest. Mr Birch is also chairman of another start-up called Clevertar that allows businesses to create "virtual agents" and offer "personalised healthcare support, delivered at scale". This relationship is on the public record. 

Public sector ethics expert Richard Mulgan, from Australian National University, said the chairman should submit to a higher standard than ordinary board members and distance himself from anything suggesting a conflict of interest.

He said perception was just as important as reality and the public, not the people involved, was the best judge of whether there was a problem.

"The personal interests register must be published," he said.

"The fact they haven't can only lead to the perception there are conflicts of which they are ashamed."

Mr Birch, Personify Care and Clevertar did not respond to Fairfax Media's questions.

A Serco spokesman confirmed the company met with Mr Birch "occasionally ... over the past 12 months regarding business management", but did not answer whether it paid him.......

The Courier Mail, 15 November 2018, p.4:

Your dietitian, dentist, podiatrist, occupational therapist or optometrist will be able to see if have a sexually transmitted disease or an addiction unless you set access controls to My Health ­Record.

Major new privacy concerns emerged after the Federal Government was yesterday forced into an embarrassing call to delay the rollout.

People trying to access the controversial My Health Record hotline and computer portal experienced major delays during a rush to opt out before the system was rolled out tomorrow.

Health Minister Greg Hunt was forced to delay the opt out period until January 31 after pressure from health groups and crossbench senators.

The Australian Medical Ass­ociation was the only major health group not calling for a delay.

The vast majority of groups were concerned the record would come into ­effect before key privacy and secu­rity upgrades had been passed by ­Parliament. AMA president Dr Tony Bartone denied its position was related to his need to keep the Health Minister onside while he negotiated key reforms to general practice care.