A statement from the two groups said the ANAO report showed the Australian Digital Health Agency was not overly concerned about the security of health data.
The two organisations pointed out that the number of data breaches in 2018 showed the health industry was the worst offender.
"t is astounding that this should be the case after over seven years of production use of the My Health Record system. It raises serious questions about ADHA’s commitment to cyber security of the My Health Record system," they said.
“It is deeply concerning that the ADHA has not yet undertaken all of the recommended steps to improve security. In some cases, there is no risk assessment or mitigation strategies to protect information assessed as high and very high risk,” said Dr Trent Yarwood, a medical specialist and health spokesperson for Future Wise.
“Improper access by an authorised user like a healthcare worker snooping on record of their friend, or ex-partner, or even a celebrity is a much more likely to occur than an external hack. So when ADHA say the system has never been hacked, it does not mean people’s private information hasn’t been breached, because clearly it is happening.”
EFA chair Lindsey Jackson said: "We call on the government to move beyond lazy, simplistic, and divisive rhetoric about cyber security and to engage seriously with the work required.
“These are complex issues that require serious people willing to engage with the complexity, and to do the hard work required to keep our data private and secure. Australians deserve nothing less.”