In the wake of the discovery of Medicare numbers for sale on the dark web, the peak body for general practitioners has said it is satisfied with the current security protocols and cautioned against tightening of access.
The Guardian broke the story in July that a dark web vendor – the Medicare Machine – could provide Medicare numbers to order for about $30 each, with the Department of Human Service’s Health Professional Online Services the likely access point.
In its submission to the Senate inquiry into the data breach, the RACGP claimed HPOS, which is used throughout the healthcare system to retrieve Medicare numbers for patients, is essential for patient care.
“Restricting access to Medicare information could compromise the provision of essential healthcare if patients are unable to confirm evidence of eligibility. This poses a significant risk to Australia’s most vulnerable people,” the organisation representing more than 35,000 members said.
“The RACGP supports any initiative that strengthens the security of the HPOS system, but it is important for this to be balanced with reasonable administrator access to patient Medicare information.”
The RACGP also said it did not see any “significant implications” for the rollout of the My Health Record system which has “many layers” of security.
Submissions to the Senate Finance and Public Administration Committee’s inquiry closed on Friday, with the Australian Digital Health Agency claiming an individual’s Medicare card number alone does not allow My Health Record information to be accessed.
“The security and operation of the system protects against the unauthorised disclosure of health information from the My Health Record for individuals with access to Medicare numbers,” according to the ADHA’s submission.
“The system complies with the Australian Government requirements for storing and processing protected information and is regularly tested and audited to confirm that these requirements are met.”
Timothy Pilgrim, the Australian commissioner for information and privacy, said the use of personal information should be necessary, proportionate and reasonable, while security is essential to ensure public trust.
“While I appreciate the policy considerations around making this information available to healthcare providers, consideration must also be given to the security of that information and whether the use of personal information in this manner strikes an appropriate balance between achieving policy goals and any impact on privacy,” Pilgrim said in his submission.
According to the commissioner, who said his office only became aware of the Medicare data breach when contacted by a journalist, 69 per cent of Australians are more concerned about the privacy of their personal information when using the internet than five years ago, while 83 per cent think online environments are inherently more risky than offline.
An AFP investigation is underway and the government has also commissioned a review of health providers’ accessibility to Medicare card numbers, led by Professor Peter Shergold.
There are currently more than 5.1 million individuals registered for a My Health Record, around 21 per cent of Australia’s population. Almost 10,000 healthcare provider organisations are participating in the system, with over 2,750,000 clinical documents uploaded, including shared health summaries, discharge summaries and pathology reports.
The inquiry will report to the government by 16 October.