The Department of Human Services (DHS) has issued around 165 individuals with new Medicare numbers as a precaution following the darknet ‘Medicare Machine’ scandal.
The Medicare Machine was a service on a Tor-protected ‘darknet’ marketplace (the site hosting the service has since gone offline) which would provide the Medicare care details of anyone if their name and date of birth – and $30 in Bitcoin – were provided.
Guardian journalist Paul Farrell’s broke the story in July, reporting that he had been able to purchase his own Medicare number from a “darknet trader”.
Caroline Edwards, deputy secretary of the DHS, told a Senate Finance and Public Administration References Committee inquiry into the incident today that an “abundance of caution” had led to the individuals being alerted.
“We have moved to do customer recovery for all the cases that could have conceivably been affected,” she said. “And everybody who might have conceivably been affected, their records have been carefully checked. We have no evidence there was any inappropriate Medicare claiming or other activity on any of those but as an extra precaution every person has been contacted and issued with a new Medicare number.”
The 165 individuals were told there was a “potential compromise” of their number and “in an abundance of caution we’re issuing you a new number”, Edwards added.
'Traditional' vulnerability
Edwards reiterated the DHS’s initial response to the Guardian story. At the time, human services minister Alan Tudge said that there had “not been a cyber security breach”, instead blaming “traditional criminal activity”.
“We have always dealt with the situation where somebody steals 1,000 files from a medical practice and goes and sells them down the local pub and this is more akin to that sort of circumstance…It’s legitimate access being used illegitimately which happened to go through to the darkweb we understand. The vulnerability was a more traditional vulnerability,” Edwards said.
Edwards confirmed the department believed access had been made via the Health Professionals Online Services (HPOS) system, although gave no detail due to an ongoing Australian Federal Police investigation.
She added that audit logs allowed the department to determine which ‘access point’ or health provider was behind any access to an individual’s Medicare number.
No risk to My Health Record
Tim Kelsey, CEO of the Australian Digital Health Agency – established last year as a successor to the National E-Health Transition Authority (NeHTA) – added that My Health Record data was not at risk as a result of the Medicare Machine.
“An individual’s Medicare card number alone does not allow My Health Record information to be accessed. Additional information is required to authenticate consumers and healthcare providers,” he said. “The security and operation of the system protects against the unauthorised disclosure of health information from the My Health Record for individuals with access to Medicare numbers.”
Other submissions to the inquiry – such as that made by security researchers Dr Chris Culnane, Dr Ben Rubinstein and Dr Vanessa Teague from the University of Melbourne – noted that a person's Medicare number wasn't “an inherently sensitive piece of information” but it was important they not become widely accepted as proof of identity.
Edwards added that Medicare cards were considered “actually a reasonable form of identification”, but “on its own isn’t sufficient” in most cases.
A separate government-commissioned independent review of health providers’ access to Medicare card numbers was launched in July, led by Professor Peter Shergold. It is due to present its findings by the end of this month.
Statements made earlier today by the Royal Australian College of General Practitioners and Australian Medical Association warned against the government introducing additional security measures which could reduce the efficiency of systems like My Health Record.