Health Minister Greg Hunt has announced changes to the My Health Record system in an attempt to allay growing concerns about its lack of security and privacy for all those who do not opt out by October 15.

While some doctors' groups and politicians seem reassured by these minor changes, fundamental flaws have not been addressed. This ill-conceived platform is neither useful nor safe enough to proceed.

Last month, hackers accessed 1.5 million health records in the Singaporean government's online health system — even the Prime Minister's.

The vast breach shows the risks of storing our sensitive health information in massive, centralised online databases, as Australia is about to do.

The jackpot for identity thieves

My Health Record's own privacy policy notes risks from the online transmission and storage of our personal information in this system.

And the Singapore hack is only the most recent in a series of health data breaches we have witnessed in Australia and overseas, while the incentives for these breaches are increasing.

While some have suggested there's nothing interesting in their own medical records, this shows a misunderstanding about the value of this information.

Medical records are far more valuable than credit card details as a means of identity theft, due to the massive amount of personal information they contain about you, your family and your life history. They are a jackpot for hackers, fetching a high price on the dark web.

The names of healthcare professionals who access your record won't be recorded. ( Pixabay )

System defaults to non-secure

The changes announced by the Minister do not alter My Health Record's design and defaults, which err on the side of minimal privacy and security for our sensitive health information.

If you do not opt out by October 15 this year, the government will create a record which will be stored in this online database. The default position is that those providing you with healthcare — including pharmacists, physiotherapists, podiatrists — will have access to your medical record without seeking your prior consent. It is unlocked.

To change this, you would need to set PIN codes for different documents and providers, a laborious and complex effort.

It's not surprising that the number of people opting to use these privacy settings is "fewer than 2 out of every 1000 individuals registered," according to the ADHA.

Privacy to pry, however, is assured for the 900,000 people who will have access to your My Health Record. Their names won't be logged and audited when accessing your record, only their institution's name.

Best practice out the window

According to global best practice in data protection, patients should be "fully informed" and give "express consent" for use of their health information.

My Health Record completely rejects this standard. It presumes consent, relying on patients to educate themselves and opt out.

The problems were foreseeable; they were forecast by privacy and health experts for years.

We must learn from Australian and overseas experience and recognise the Minister's announcement is a band-aid solution.

A systemic review of My Health Record design is imperative, as is taking responsibility for the flawed model of a government-controlled central database which has not been designed to serve the interests of patients and their doctors.

Without responsibility, organisations do not learn, and we won't get the properly designed, useful and safe electronic medical records system we need.

Katharine Kemp is a lecturer in the Faculty of Law at UNSW and co-leader of the Data as a Source of Market Power research stream of the Allens Hub for Technology, Law and Innovation. Bruce Baer Arnold is assistant professor in the School of Law at the University of Canberra. David Vaile is a teacher of cyberspace law and leader of the Data Protection and Surveillance stream of the Allens Hub for Technology Law and Innovation.