An inquiry into the sale of Medicare card details on the dark web has called for the tightening of healthcare provider access to Medicare numbers, with recommendations for widespread changes.
In July, a dark web vendor was reported by The Guardian to be illegally selling Medicare card numbers by request, exploiting a vulnerability in the Department of Human Services system that allows health professionals to obtain the details when patients are unable to provide them.
The independent review chaired by Professor Peter Shergold was commissioned by the government to look at improved security for the system without unnecessarily adding to healthcare workers’ administrative workloads.
Although not designed for use as personal identification, the review found Medicare cards are widely used as an important proof of identity component, making them attractive to fraudsters. Gaining access to health services for those who are not eligible for Medicare or trying to obtain large quantities of prescription medication are other illegal uses for the cards.
“The Medicare card can be used to help verify an identity and, like any evidence of identity credential, is therefore susceptible to theft for identity fraud and other illicit activities. Illegally obtained Medicare card numbers could also potentially be used for fraudulent Medicare claiming or to enable ineligible individuals to access Medicare funded health services,” the review’s final report said.
According to the review, the My Health Record was not compromised by the breach but public confidence in the government as the custodian of private data could be affected by lax Medicare security protections.
“While there has been no risk to patients’ health records as a result of the reported sale, there is a danger that inappropriate access to Medicare card numbers might reduce public confidence in the security of government information holdings, such as the My Health Record system.”
Rejecting the need to add a photograph or hologram to Medicare cards, the review made a number of recommendations for immediate improvements.
- Health professionals should be required to take reasonable steps to confirm the identity of patients, such as through photographic ID.
- Health professionals should be required to seek the consent of patients before accessing their Medicare numbers.
- Health professionals should be actively encouraged to use the Health Professional Online Services system, with telephone channels phased out over the next two years except in exceptional circumstances.
- “Delegates” within HPOS – such as administrative staff acting on behalf of healthcare providers – should require renewal every 12 months, with a warning three months before the delegation expires.
- Batch requests for Medicare card numbers through HPOS by hospitals should be more tightly controlled (50 card numbers per batch request, and only one batch request per day), unless healthcare providers apply in writing to the Chief Executive Medicare, demonstrating a clear business need for a higher limit.
- Authentication for HPOS should be moved from the PKI system to the more secure PRODA within three years.
- Suspending or cancelling PRODA accounts if they have not been used for a certain period.
- HPOS accounts that have been inactive for a period of six months should be suspended, following a warning to users after three months of inactivity.
In 2016-17, DHS processed 399.4 million Medicare services and paid Medicare benefits totalling $22.4 billion. It also processed 207.9 million services and paid benefits totalling $12.4 billion under the PBS. About 10.2 million Medicare card number searches and confirmations were carried out through the HPOS Find a Patient system. DHS also offers integration for approved third party software products for claiming, billing and reporting, and information exchange with health professionals.
According to the review, DHS holds a large volume of Medicare information and other personal data, and has implemented sophisticated cyber security and internal fraud control protections to ensure the security of this information. It also monitors systems and uses intelligence-gathering techniques to monitor internal fraud and unauthorised access.
The review was conducted with support from the RACGP and the AMA, and included technical briefings provided by DHS, the Department of Health, the Attorney-General’s Department and the Australian Digital Health Agency, as well as demonstrations of HPOS and the DHS call centre operations, and a site visit to a general practice. Written submissions were received from 24 organisations and individuals.
The Senate Finance and Public Administration References Committee is also conducting an inquiry, and the Australian Federal Police is investigating the breach.