The myth of anonymous data

As Oracle and Palantir integrate their systems into Australia’s digital health network, the promise of “identified” data is starting to look more like a dangerous illusion of privacy, writes Jemma Nott.

IT’S BEEN A TIME, Oracle Health It is expanding not only through the American healthcare system but also across Australian state medical systems.

in 2018 Queensland HealthFor example, the tender process for the Patient Management System used by Cerner PAS (currently Oracle Health) has started. successfully won. The tender process went ahead despite claims that the Queensland Chief Information Officer was on a mission at the time. inappropriate relationship with someone in the buying process. Oracle now provides an integrated electronic messaging system to all Queensland hospitals, which led to the collapse of all patient records systems in 2023.

At the national level, the Australian Digital Health Agency (ADHA) manages My Health Record System that collects information from hospitals, GPs, pharmacies and pathology providers. through him interoperability architectureOracle Health effectively enables the secure exchange of clinical data between Queensland’s public hospital network and the national digital health system.

In other words, they facilitate the transfer of information regarding treatment and care received in the hospital and information that is then stored for your “personal use”. But, Larry EllisonOracle, chairman and owner of the world’s second-largest fortune, has much bigger ambitions for using healthcare data on the international stage.

Oracle founder Larry Ellison is a “unified national health database” Where “health records of all American citizens [are] anonymized, secured and analyzed in real time” It seemed like a leap forward towards medical progress. But underlying the optimism lies a technical and ethical fault line: The health data systems made available by Oracle and other vendors do not truly anonymize information; They give nicknames.

Running with Oracle’s support Peter Thiel‘s Palantir TechnologiesBuilt by the US Department of Health HHS Protection system, NIH’s National COVID Cohort Collaborative (N3C) and England NHS Unified Data Platform. Each “deidentified” data, but not in the irreversible sense.

In large-scale healthcare analytics, “de-identification” rarely means “anonymous.”

Direct identifiers such as names or names are used to make data useful in longitudinal studies. Medicare numbers removed but replaced encrypted tokens or keys so that the same patient’s records can be reconnected between systems. This process (pseudonymization) preserves analytical value but makes reidentification technically possible.

A concrete, documented example is the US National Institutes of Health’s National Institutes of COVID Cohort Collaboration (N3C) is built with privacy-preserving record linkage (PPRL). Each institution produces hashed tokens; a trusted intermediary matches them to create a single patient identifier. Data is de-identified for most users but can be knowingly linked to authorized analysts.

Research repeatedly shows that so-called anonymous health records can be traced back to individuals when combined with other information.

A. University of Melbourne researchfor example, people in Australia’s “de-identified” Medicare Assistance Program (MBS) and Pharmaceutical Benefits Program (PBS) datasets can be redefined using basic demographic information and service dates.

Under Privacy ActIf re-identification is reasonably possible, this pseudonymized data may still be considered “personal information”.

My Health Record has been operated by Accenture since 2012, but in June 2025 the Australian Digital Health Agency I opened a new request A tender has been launched to combine MHR support and information gateway. Accenture won overtime on contract for now, but the Government was clearly signaling to the awardee of this contract to oversee some major changes to the way my Health Records are hosted and used.

ADHAs 2018 Framework for Secondary Use of MHR The data allow the use of de-identified data for research and system improvement but apparently assume effective, irreversible anonymization. While they have yet to establish the governance framework for sharing secondary data from MHR, this assumption is no longer valid as international vendors push pseudonymous, cloud-based analytics models.

Within the framework of secondary data use, the Government a give up Approach to releasing de-identified health data from My Health Record for research and public health purposes. However, as of February 2020, only 63,504 Australians 0.28 percent of companies with My Health Record chose not to share de-identified data; This shows that most people are unaware of the controls.

Telstra HealthWhich won a contract with ‘Modernise and transform the My Health Record system’have a clear vision for the move ‘Enable seamless, secure data exchange and real-time insights across Australia’s healthcare system’.

Similarly, Deloittewinner of the tender Host API gateway Although My Health Record is not as bold in its public statements, it shares the same technical vision as Ellison. “HealthTech Interoperability Platforms” and “Connected Health Analytics”.

There are several examples where this “de-identified data” has already been used in practice in Australia; National Health Data Center. NHDH It brings together “de-identified” health and wellbeing datasets such as hospital admissions, emergency departments, outpatient services, pharmacies and aged care for research and policy tasks.

Another example is CardiacAI data repository In NSW, “de-identified” data from two local health districts is being used for cardiovascular research. Every time My Health Record is put out to tender, the question constantly comes up: What is the long-term plan for this data?

While global players such as Oracle and Palantir seek to redefine how governments interact with healthcare systems, the Australian Government has put in place all necessary steps to ensure My Health Record becomes a continuously mined source of data that we are told is for early prediction, but can easily be passed on through discrimination, research bias and even denial of insurance claims.

The US Government could potentially mandate this if the government allows pseudonymized health data to flow through global clouds. US Cloud ActAustralia risks losing sovereignty over its people’s medical information. The policy question is not just about privacy, but also about who ultimately profits from predictive health data (public systems or private platforms).