How Safe Is MOH’s Electronic Medical Record System?

Will MOH allow people to opt out of sharing their medical records?

As I was doing my regular annual health check at a diagnostic centre, I was trying to remember if I had already taken my HPV vaccine (not that it mattered since I was past the age limit).

But I wanted to know the various shots I had previously received.

When I dug through my wallet, I realised I had two vaccination cards from that diagnostic centre. Obviously they weren’t keeping their records well. (And yes, it turns out I did get the HPV vaccine just before I turned 26 to protect against cervical cancer).

Besides keeping track of vaccinations, a portable electronic health record would allow doctors who haven’t previously treated me to know the various drugs I’m allergic to. I wouldn’t have to show them a dinky little card with a list of my allergies scribbled in barely legible handwriting by my GP.

Health Minister Dzulkefly Ahmad reportedly said his ministry would implement an electronic medical record system in 145 hospitals across the country in the next three years, starting with Ministry of Health (MOH) clinics and hospitals.

In fact, he said 20 per cent of hospitals in Malaysia already use electronic medical records, including Selayang Hospital and Ampang Hospital.

Dzulkefly said the system would enable doctors and nurses to share information on patients’ medical consultations and prescriptions, whichever facility the patient visited. So, in other words, it is an actual integrated electronic medical record system.

It is not the same as the Malaysian Health Data Warehouse (MyHDW) that was launched by the previous Barisan Nasional (BN) administration back in 2017 and has already completed its second phase.

Dr Md Khadzir Sheikh Ahmad, head of the Health Informatics Centre at the Health Ministry who is managing the MyHDW, said earlier this month that MyHDW only collects data on people’s visits to any health care facility, inpatient visits, outpatient visits, visits to daycare unit services, as well as visits to clinical support groups like physiotherapy, speech, or audio.

MyHDW is not, he says, an electronic medical record.

So, if Dzulkefly’s announcement is the real deal, then why haven’t we heard about the electronic medical record system before, especially since it is already in place in two public hospitals? Have they already begun integrating electronic medical records? Were patients informed before their medical records were shared between health providers?

While shared electronic health records may enable continuity of care, the Malaysian government has yet to demonstrate their ability to protect our data.

Malaysia suffered two major personal data breaches in recent years, both of which involved government hospitals and the Malaysian Medical Council (MMC) which regulates doctors.

In January 2018, reported that personal information of 220,000 Malaysian organ donors and their next-of-kin were leaked online as early as September 2016, including their IC number, phone number, and address. The leaked information reportedly contained sign-up data from government hospitals and National Transplant Resource Centres nationwide.

Earlier in October 2017, reported a massive data breach where the personal data of over 46 million mobile subscribers, including IC numbers and mobile numbers, in Malaysia were stolen and leaked online. Lowyat also discovered personal data leaks from other sources, including MMC and the Malaysian Medical Association (MMA).

Yet, MOH under the previous BN government did nothing to reassure the public about the steps it would take to prevent such massive personal data breaches from happening again.

Although Pakatan Harapan (PH) made some noise back then, the new government still has not announced concrete plans to improve cyber security or amended the law to require organisations to notify those affected by their data breaches.

The Personal Data Protection Act (PDPA) 2010 does not apply to the government either.

Even Singapore, which has a national electronic health record system, suffered a data breach last January when the personal information of over 14,000 people diagnosed with HIV was stolen from the health ministry’s HIV registry and leaked online.

Singapore’s government health database was also hacked last July, with hackers stealing the personal data of 1.5 million people, including Prime Minister Lee Hsien Loong.

Britain, whose health system Malaysia closely mirrors, was forced to halt in 2014 the roll-out of a national database to store patients’ medical records due to problems with confidentiality. NHS England later scrapped the scheme in 2016.

The Guardian revealed in 2014 that health information on the single database covering the entire UK population could be sold to pharmaceutical and insurance companies, including mental illnesses and diseases like cancer, as well as drinking and smoking habits.  

Even now, a similar digital medical record system in Australia that shares patients’ medical histories between health providers has run into a major technical glitch that may have left patient information incomplete, incorrect, or out of date.  

Those are examples in developed countries of how tricky it is to store and share electronic health records, what more Malaysia, where people have such a blasé attitude with personal data.

Sign-up sheets at any government or commercial event always ask for IC numbers, phone numbers, and email addresses. Sometimes that information ends up online.

So how does MOH under the PH government plan to protect patient confidentiality, especially sensitive information like one’s medical records?

What access levels will be put in place? Even within the same hospital, I don’t want all doctors to have access to my record, only the doctor treating me.

And why should 145 hospitals have my medical record? I’m not likely to visit 145 hospitals in my lifetime.

What are the government’s precautions to protect against hacking of our electronic health records?

How can the government ensure that our medical information won’t be sold to pharmaceutical or insurance companies?

A British privacy group reportedly said protections against using patient data for “solely commercial purposes” had existed in the UK but they did not work. Critics had also claimed that even though patient data shared with companies in Britain was anonymised, individuals could be identified by matching the anonymised data with other patient data.

Will MOH allow people to opt out of sharing their medical records?

Who owns the data? The patient, doctor, hospital, or government?

It would be good to have an electronic health record containing doctors’ consultation, results of diagnostic tests, and treatment plans that is accessible to patients, as such information is currently stored in clinics or hospitals, out of patients’ hands. In private hospitals though, patients can get results of their diagnostic tests.

I want an electronic health record which I can access and decide who to share it with, but I am not sure if the government is ready to handle such a huge responsibility.

Ultimately, it is we, the patients, who should have control over our own medical information, not the government, or even patronising doctors or impersonal hospitals.

Boo Su-Lyn is a libertarian writer who believes in minimal state intervention in the economy and socio-political issues. Read her at Share your ideas with her at, tweet her @boosulyn, follow her lifestyle at IG @boosulyn, and watch her at

  • This is the personal opinion of the writer or publication and does not necessarily represent the views of CodeBlue.

You may also like