Since about 2014 it has been known that the personal details of Medicare
cardholders has been for sale on the dark web.
Despite an April
2014 report by the Australian
National Audit Office that the Consumer
Directory - which contains all Medicare customer records - was not secure
and that cardholder
details were for sale, the federal Liberal-Nationals
Coalition Government does not appear to have comprehensively acted act on
the issue of database security.
It was not
unknown that Medicare cardholder details were being used fraudulently.
When contacted
by the mainstream media in July 2017 the Liberal MP for Aston and then Minister for Human Services Alan Tudge denied
any prior knowledge of cardholder details being offered for sale.
It was not reported that at the time if he was asked about instances of Medicare cardholder details being used to commit fraud or identity theft.
In August 2017 eHealth Privacy Australia was telling
the Senate Finance and Public Administration Committee that:
•
There are fundamental weaknesses in both the HPOS (Medicare card data) and My Health
Records systems, which make them vulnerable to illegal access.
•
Those weaknesses mean that fraudulent users of the systems can assume the
identity of legitimate users to gain illegal access.
•
It is not sufficient to mitigate these weaknesses in the My Health Records system.
By 1 January
2019 IT
News was
reporting that Medicare cardholder details fraudulently obtained had been used to access an individual’s My Health Record:
The number of data
breaches involving the My Health Record system rose from 35 to 42 in the past
financial year, new figures show.
The Australian Digital
Health Agency (ADHA) said in its annual report [pdf] that “42 data breaches (in 28
notifications) were reported to the Office of the Australian Information
Commissioner” in 2017-18.
As with previous years,
the agency said that “no purposeful or malicious attacks compromising the
integrity or security of the My Health Record system” were reported in the
period.
Of the 42 breaches, one was the result of “unauthorised
access to a My Health Record as a result of an incorrect Parental Authorised
Representative being assigned to a child”, the agency reported.
A further two breaches were from “suspected fraud against
the Medicare program where the incorrect records appearing in the My Health
Record of the affected individual were also viewed without authority by the
individual undertaking the suspected fraudulent activity”, ADHA said.
In addition, 17 breaches were the result of “data
integrity activity initiated by the Department of Human Services to identify
intertwined Medicare records (that is, where a single Medicare record has been
used interchangeably between two or more individuals)”, the agency said. [my
yellow highlighting]
Despite this
knowledge the Abbott-Turnbull-Morrison
Government has still not grasped the nettle, because on 16 May 2019 The
Guardian reported:
Australians’ Medicare
details are still being illegally offered for sale on the darknet, almost two
years after Guardian Australia revealed the serious privacy breach.
Screenshots of the
Empire Market, provided to Guardian Australia, show the vendor Medicare Machine
has rebranded as Medicare Madness, offering Medicare details for $US21.
Other vendors charge up
to $US340 by offering fake Medicare cards alongside other fake forms of
identification – such as a New South Wales licence.
The Medicare Madness
listing suggests the Medicare details “of any living Australian citizen” have
been available since September 2018.
Guardian Australia first
reported patient details were on sale in July 2017, verifying the listing
by requesting the data of a Guardian staff member and warning that Medicare
card numbers could be used for identity theft and fraud.
The revelation
prompted a
review lead by former secretary of the Department of Prime Minister and Cabinet
Peter Shergold.
The report did not
identify the source of the Medicare data leak but suggested that people could
use publicly available information about healthcare providers – including their
provider number and practice location – to pass security checks and obtain a
Medicare card number through the Department of Human Services provider hotline.
The review panel warned
the “current security check for release of Medicare card information provides a
much lower level of confidence than the security requirements” for Health Professional
Online Services, the portal that allows providers to make rebate claims.
An IT industry source,
who refused to be named, said the re-emergence of the data breach brings into
question government assurances around the privacy of medical data “when those
responsible cannot even manage the security of Medicare cards”.
The source said there is
a “concerted effort at the moment by law enforcement to curtail darknet market
activity”.
“In reality the darknet
markets, while disrupted momentarily when their sites are brought down, easily
relocate and continue business.”
Darknet markets can
simply private message existing clients with a new link to resume business
elsewhere.
Thus far the federal government has failed to recognise where Medicare cardholder details may be being accessed unlawfully, as this 2 August 2018 ABC online article indicates:
Privacy experts have warned that the system
opens up health records to more people than ever before, thereby increasing the
threat surface — the number of vulnerabilities in a system — dramatically.
Dr Bernard Robertson
Dunn, who chairs the health committee at the foundation, says once the data is
downloaded into the health system, the My Health record system cannot guarantee
privacy.
"Once the data has
been downloaded to, for instance, a hospital system, the protections of the
hospital system apply, and then the audit logs apply to the hospital system —
not to My Health record.
"So there is no way
the Government would know who has accessed that data, and it is untraceable and
untrackable that that access has occurred."
