As Oracle and Palantir weave their systems into Australia’s digital health network, the promise of “de-identified” data begins to look more like a dangerous illusion of privacy, writes Jemma Nott.
FOR SOME TIME NOW, Oracle Health has been expanding not just through the American health system but across Australian state medical systems.
In 2018, Queensland Health, for example, began a tender process for a Patient Administration System, which Cerner PAS (now Oracle Health) successfully won. The tender process proceeded despite allegations at the time that the Chief Information Officer of Queensland had an inappropriate relationship with someone in the procurement process. Oracle now supplies the integrated electronic messaging system to all Queensland hospitals, which in 2023 led to a crash of all patient records systems.
At the national level, the Australian Digital Health Agency (ADHA) manages the My Health Record system, which aggregates information from hospitals, GPs, pharmacies and pathology providers. Through its interoperability architecture, Oracle Health effectively enables the secure exchange of clinical data between Queensland’s public-hospital network and the national digital health system.
In other words, they facilitate transferring information about treatments and care received in a hospital, and then what is stored for your “personal use” later on. However, Larry Ellison, the chairman of Oracle and holder of the world’s second-largest fortune, has much grander ambitions for the use of healthcare data on the international stage.
When Oracle founder Larry Ellison announced that his company would build a “unified national health database” where “all American citizens’ health records [are] anonymised, secured and analysed in real time,” it sounded like a leap toward medical progress. But beneath the optimism lies a technical and ethical fault line: the health data systems being rolled out by Oracle and other vendors do not truly anonymise information — they pseudonymise it.
Running alongside Oracle’s push is Peter Thiel’s Palantir Technologies, which built the U.S. Department of Health’s HHS Protect system, the NIH’s National COVID Cohort Collaborative (N3C), and the UK NHS Federated Data Platform. Each uses “de-identified” data, but not in the irreversible sense.
In large-scale health analytics, “de-identified” rarely means “anonymous”.
To make data useful for longitudinal studies, direct identifiers such as names or Medicare numbers are stripped out, but replaced with encrypted tokens or keys so that records from the same patient can be re-linked across systems. That process – pseudonymisation – preserves analytic value but keeps re-identification technically possible.
A concrete, documented example is the U.S. National Institutes of Health’s National COVID Cohort Collaborative (N3C), built with privacy-preserving record linkage (PPRL). Each institution generates hashed tokens; a trusted broker matches them to create a single patient identifier. The data are de-identified for most users but deliberately linkable for authorised analysts.
Research repeatedly shows that supposedly anonymous health records can be traced back to individuals when combined with other information.
A University of Melbourne study, for example, demonstrated that people in Australia’s “de-identified” Medicare Benefits Scheme (MBS) and Pharmaceutical Benefits Scheme (PBS) datasets could be re-identified using basic demographics and service dates.
Under the Privacy Act, this pseudonymised data may still be considered “personal information” if re-identification is reasonably possible.
Since 2012, My Health Record has been operated by Accenture, but in June 2025, the Australian Digital Health Agency opened a new request for tender to consolidate MHR support and the information gateway. Accenture won an extension on the contract for now, but the Government was clearly signalling for whoever took this tender to oversee some big changes in how My Health Record is hosted and used.
The ADHA’s 2018 Framework for the Secondary Use of MHR data permits de-identified data to be used for research and system improvement — but seemingly assumes effective, irreversible anonymisation. While they haven’t built the governance framework for secondary data from MHR to be shared yet, as international vendors push pseudonymised, cloud-based analytics models, that assumption no longer holds.
Under the secondary data use framework, the Government settled on an opt-out approach for the release of de-identified health data from My Health Record for research and public health purposes. However, as of February 2020, only 63,504 Australians – or 0.28 per cent – with a My Health Record had opted not to share de-identified data, suggesting most individuals are in the dark about the controls.
Telstra Health, which won a contract to ‘modernise and transform the My Health Record system’, has a stated vision of moving to ‘enable seamless, secure data exchange and real-time insights across Australia’s healthcare system’.
Similarly, Deloitte, which won the contract to host the API gateway of My Health Record, while not as publicly bold in its statements, share the same technical vision as Ellison. It markets “HealthTech Interoperability Platforms” and “Connected Health Analytics”.
There are several examples where this “de-identified data” is already in practical use in Australia, such as the National Health Data Hub. The NHDH brings together “de-identified” health and welfare datasets as hospital admissions, emergency departments, outpatient services, pharmacies and aged care, for research and policy tasks.
Another example is the CardiacAI data repository in NSW, which uses “de-identified” data from two local health districts for cardiovascular research. Every single time My Health Record is put back up to tender, the question continuously arises: What is the long-term plan for this data?
As global players like Oracle and Palantir attempt to redefine how governments interact with their health systems, the Australian Government has put into place all of the necessary steps for My Health Record to become a source of continuously mined data that we are told is for early prediction, but that can easily funnel through discrimination, research bias or even denial of insurance claims.
If the Government allows pseudonymised health data to flow through global clouds, which the U.S. Government can potentially compel under the U.S. Cloud Act, Australia risks losing sovereignty over its population’s medical information. The policy question is not just about privacy, but who ultimately profits from predictive health data — public systems or private platforms.
Jemma Nott is a Political Economy post-graduate student at the University of Sydney and a freelance writer.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia License
Support independent journalism Subscribe to IA.
