The move has laid bare information on patients’ mental health, alcohol consumption, weight, sexually transmitted diseases and HIV.

In most cases the material is being collected by data firms without explicit patient consent and patients have not been given the opportunity to opt out.

The Australian Privacy Foundation said if the records were to fall into the wrong hands they could be used to blackmail powerful people, track down a domestic violence victim or by employers to vet job applicants.

They could also be used against a person with mental health problems in a custody battle.

“While almost 10 per cent of Australians opted out of My Health Record, most may be unaware they are giving consent to their default data upload, when they sign the patient registration form to see their own doctor,” Juanita Fernando, Health Committee Chair of the Australian Privacy Foundation said.

Doctors are providing the patient health information under the Primary Health Insights program via two data collection firms which gives the files to 31 Primary Health Networks (PHN’s).

These are administrative health regions established by the government and the Department of Health said they would use it to improve health care and determine where new health resources are needed.

IT consultant to the medical profession Paul Power who raised the alarm that saw privacy protections in the My Health record legislation substantially strengthened said the data could be a hacking target for China or Russia and nefarious actors.

The Office of the Australian Information Commissioner said patient protections were imperative.

“It is essential that privacy protections are in place when dealing with such sensitive information,” a spokesperson said.

General practices are meant to seek patient consent to take the data but those who have been seeing the same GP for many years are unlikely to have been explicitly informed or given their consent or the chance to opt out.

And some patients who did ask to opt out said it took three months for the process to happen, others were told by GP’s they had no idea about the process.

The data is meant to be de-identified but when the Department of Health published “de-identified” health data of three million Australians in 2016, it took researchers at Melbourne University just three days to decode it and re-identify it.

In 2017 the Medicare numbers of Australians were found for sale on the dark web.

ANU researcher Dr Vanessa Teague, who was part of the team who re-identified the health data in 2016, said patient information containing Medicare or medicines information — or even the year a woman’s child was born — was the most vulnerable.

“It would be entirely inaccurate to describe it as de-identified,” she said.

Former Privacy Commissioner turned lead adviser for Information Integrity Services Malcolm Compton agreed.

“I think they’re being a bit too clever by half,” he said.

Australian Medical Association president Dr Omar Khorshid said Primary Health Networks claimed to have “very, very high levels of security”.

Royal Australian College of General Practitioners president Dr Karen Price said general practices were adhering to relevant privacy legislation.

“ … and have privacy policies in place which explain how personal patient data is used as part of the provision of care and how de-identified data may be used for research and quality improvement purposes,” she said.

The Department of Health said patients can opt out of having their information collected.

More Coverage

Medicare set for radical shake-up

Tom Minear

‘I made myself throw up 8000 times’: Eating disorder clinic opens

Sue Dunlevy