Data Breach at Choice

I’ve just received an email from Choice to inform me that there has been a data breach. Choice members were asked to submit their experiences to do with refunds (if they chose to) which I did. I also said I could be contacted by Choice to answer any follow up questions they might have. In doing so I might have given my phone number to Choice. What I cannot remember is if Choice themselves told me that another company was doing the survey on behalf of Choice. I am quite upset that I now might be targeted via email & phone by scammers. I realise that these Data breaches are a regular occurrence & hard to stop (a reason I will be opting out of MyHealth) but I’m peeved that it was an outside organisation that has my information. I might add Choice has apologised for the breach & prob alerted myself & others immediately upon realising there was an issue. I’m grateful for the swift action by Choice. How many other people have received emails re this?


Sorry to hear that there has been a data breach @celloete

The data issue was with Health Engine, not My Health.Record. Health Engine was passing user data on to third parties for advertising purposes. My Health Record is the Australian Government system and is as far as I know perfectly safe*.

{Edit: * from data on-selling or breaches so far}


I am sorry to say I do not share your confidence in the Government that they are perfectly safe in keeping such sensitive data as your personal medical records. I would be interested to know how you came to this conclusion.
We have seen in Victoria rogue employees working for Vic Roads releasing registration details to third parties not entitled to have access to them, and using them for various nefarious purposes.
The value of personal medical records to say, insurance companies is very financially valuable and there is a huge incentive for people with privileged access to this information to make a tidy income on the side. For the data to be of any use in an emergency every doctor, hospital an ambulance service providers in the country would need access to it, putting at risk the privacy of the information in my view. :thinking:


There is already a huge amount of personal medical data in current systems. For example, test results and specialist consultations are all published or transmitted electronically. You don’t get the option to walk hard copy of your X-rays around these days. If such systems are not secure then the cat is already out of the bag.


I also got the email to. For those who didnt, here it is…

I suppose a lesson for Choice may be to look in the future, at hosting such surveys/data collection exercises themselves…maybe through a short term software/platform lisencing arrangements. An outcome of this for Choice may be one can’t rely on others to have the same level of security as oneself, or what one would expect.

My previous employer always used local hosting rather than second or third party hosting for data collected and stored. The main reason for this was one can’t rely on the marketing talk from other enterprises in relation to the robustness of their own online/electronic security.


I agree with @meltam, @Airsie and @syncretic.

The other thing to consider is… if you have any interaction with the government , they already have copous amount of stored data on you. This includes if you receive and government benefits/social security, are employed/pay taxes/have completed a tax return in the past decade or so since rollout of eTax, own property and pay rates, have a passport, have travel cards (such as that used on public transport), have concession cards, have completed any form of education, have a bank account, shares or any other second party financial interests etc etc.

If one if worried about a few health records being stored by the government, this is the least of ones potential worries.

Fortunately the government tries to stay one technological step ahead of potent hackers, as they have the resources to do so. Unfortunately businesses and individuals don’t have the same level of priority as government and are often the weaiest/easiest link in the data management/integrity chain.


I solely base this on there being no reports of data breaches or on selling of our health records SO FAR that I am aware of. But, I don’t have great faith in the impregnability of the Government’s data systems, as evidenced by the on demand selling of individual’s Medicare card details The Medicare machine: patient details of ‘any Australian’ for sale on darknet.

Worryingly the Australian Government is apparently considering the commoditising and sharing of our data Proposed future data sharing laws revealed.

This data is in various medical software owned by private entities. I have no doubt about the vulnerability of these systems and expect that it is only a matter of time before they are hacked if they haven’t already.

At least now with the new laws we should to be told.


Unfortunately, we were affected by the Typeform breach. It’s very disappointing to all of us at CHOICE that this occurred, and we apologise again to those who were affected. Thanks for the suggestions @phb, I know there is now a thorough review underway to help avoid this situation in the future.