Monday, 10 July 2017

Would you trust these men with your personal health information? Part Two

Left to Right: Minister for Human Services and Liberal MP for Aston, Alan Tudge
Minister for Health and Liberal MP for Flinders, Greg Hunt

The Guardian, 8 July 2017:
The government found itself facing heavy criticism this week over how it handles Australians’ personal information, after a Guardian investigation revealed a darknet trader was illegally selling the details of any Medicare card holder on request by “exploiting a vulnerability” in a government system.
The data had been for sale since at least October 2016, and the seller appears to have sold the Medicare details of at least 75 Australians…..
“What’s happening is the community is wrapping these attacks together and seeing them as a threat, and it adds to a perception that their data is not safe,” said Australia’s privacy commissioner, Timothy Pilgrim. “All the players need to work out a way to build up that trust.”
But why do these breaches keep happening? And is the government doing everything it can to stop them, and reassure the public when they do happen?
After being alerted by the Guardian to the Medicare breach, the minister took swift action, referring it to the Australian federal police for investigation. Pilgrim welcomed this as an appropriate response…..
The most critical risk to Australians from the misuse of Medicare card data is one of identity fraud. A fake Medicare card with legitimate details can get a criminal a quarter of the way to an entire fake ID. This could then be used by organised crime groups in any number of ways, for example by leasing property or equipment. It could also be used to fraudulently obtain services from Medicare itself.
In this case, the darknet was the vehicle for this particular identity fraud scam. But it didn’t need to be, and it is likely similar, less-sophisticated scams are taking place right now.
Tudge has used an unusual line to explain the breach. He has said it was not a hack or cyber attack, but “traditional criminal activity”. What he’s edging around is that his department believe this was a case of an individual using a legitimate method to access Medicare data – but for an unauthorised and illegal purpose.
But contrary to Tudge’s assertion, access control is very much a matter of cybersecurity. And there are a lot of problems with the way Medicare card details can be obtained.
For instance more than 200,000 individual users can potentially look up Medicare card details through the department’s system. The department has declined to answer whether each access is logged, which could allow it to trace when a particular card was looked up. If those controls aren’t there, it’s unlikely the darkweb vendor selling this data will be found.
It doesn’t mean someone sitting in a doctor’s clinic has been supplying the data. A prospective patient could show up at a GP’s reception, pretending to be someone else, and just ask for that person’s Medicare card details. Guardian Australia has spoken with one employee at a medical practice who said people regularly asked for their card details to be supplied.
Identity fraud using Medicare cards is coming to be seen as a big problem in the government. The human services department acknowledged in February 2016 that there had been 1,500 “probable” cases of Medicare fraud, a jump from 269. The Australian reported that in 2014 the justice minister, Michael Keenan, set out to quantify the scale of Medicare card fraud taking place. A study found Medicare cards and driving licences were the mostly commonly used forms of ID for fraudsters.
The problem appears to be growing worse as those given credentials to access Medicare card details legitimately has increased – jumping 25% in the last financial year – and as organised crime groups grow more sophisticated in their methods.
All of this contributes to the loss of trust….

No comments: