Federal and state privacy regulators are now investigating after Logan doctor Thomas Lyons raised the alarm.

The doctor noticed something unusual when calling a pathology company to check on patient test results.

“We used to speak to local staff but now, all the calls are answered from Malaysia and no one told us,” he said.

“Medical records are not just paperwork. They contain full names, addresses, Medicare numbers, blood test results, and even private information about medical conditions.

“This is about protecting people’s most personal and private information — their health and their lives.

“Most people wouldn’t want their blood test results or cancer diagnoses sitting on a server in another country, especially when we don’t even know how safe it is and no patients or doctors have given consent.”

Dr Lyons said the pathology company involved was one of the biggest providers in the country but other newer companies may also be sending data offshore.

Australian Clinical Labs has been contacted for comment.

The move has triggered major concerns because under Australia’s Privacy Act, health data is classed as “sensitive” and given extra protections.

The Office of the Australian Information Commissioner said it was not investigating ACL in connection with this issue.

OAIC does not comment on privacy matters but it is believed to currently have a different matter with ACL.

Complaints about pathology labs sending sensitive patient data overseas have been lodged with all three tiers of government.

If patients’ consumer rights are violated, the Australian Competition and Consumer Commission could also intervene.

Under strict OAIC regulations, health data can be transferred offshore, but there are specific legal requirements that must be met under the Privacy Act 1988 and Australian Privacy Principles.

Health service providers must ensure overseas recipient companies adhere to Australian privacy standards, and any mishandling of data by the recipient can result in legal consequences for the Australian provider.

If health information is part of the My Health Record system, however, it cannot be transferred outside Australia due to strict legal restrictions.

Penalties for breaching the Privacy Act are severe, with fines up to $2.1 million for companies and $420,000 for individuals.

Criminal penalties could also apply for mishandling My Health Records, including fines up to $630,000 and up to two years in prison.

Sending medical data to countries with weaker privacy protections can also lead to data theft, identity fraud, or worse, leaving patients vulnerable to harm.

If a company wants to send patient information overseas, they must either make sure the overseas company follows the strict Australian privacy standards, or clearly explain the risks to the patient and get their permission first.

If the company does not do either, it could be a breach of Australian Privacy Principle 8, which controls how personal information is sent overseas.

Dr Lyons said doctors and clinics also faced risk if they used pathology companies that do not follow privacy rules.

He said if patients lost trust with their doctors or health care providers, they might change clinics or even take legal action if their data was misused.

Health guidelines already encourage doctors to choose safe and reliable pathology providers.

But many GPs say they are not being properly informed when companies move their call centres or data systems overseas.

Many medical experts now believe the rules should be much tighter and are calling for an outright ban on sending patient data overseas.

Others want clear, mandatory warnings given to patients before any information leaves Australia.

Queensland Health referred all questions to the federal Health Department.

Patients are being encouraged to ask their GPs whether their medical information is being stored securely in Australia.

More Coverage

‘Patients at risk’: Doctor slams flu jab delay

Judith Kerr

Staff sent home from major gov agency after tech failure

Judith Kerr