In the wake of last week’s revelation that Medicare card numbers were up for sale on the dark web, the Turnbull government has today announced a major review into the Medicare online system used by healthcare providers — widely presumed to be the source of the breach.

Guardian Australia broke the news that a cybercriminal was selling Medicare details by request, “exploiting a vulnerability” in a government system, raising concerns about the security of Australians’ health data.

Minister for Human Services Alan Tudge initially played down concerns, insisting there had been no data breach and the private medical information of the almost five million people with My Health Records was safe.

Described by the minister as “traditional criminal activity”, the sale of Medicare numbers on the nefarious online marketplace used by cybercrims was referred by the Department of Human Services to the Australian Federal Police for investigation.

However, with the My Health Record to be rolled out to all Australians in 2018, the government has been under pressure to ease alarm about the rigour of its cybersecurity defences.

The review — to begin immediately — will investigate the security of the online system that provides GPs, hospitals and other healthcare workers with access to the Medicare numbers of patients who have presented without a card, including in an emergency.

Currently, the Health Professionals Online Services (HPOS) only requires a patient’s name and date of birth to be entered. It is accessed 45,000 times a day.

The government says the review will ensure increased security in a system that is important to patients and doctors.

“Medicare cards and Medicare numbers have always been sought by criminals. This review will identify options to improve the security of Medicare numbers while continuing to support the accessibility of medical care,” the government’s statement said.

The review team, to be led by former head of the public service Professor Peter Shergold, will include the President of the Australian Medical Association and the President of the Royal Australian College of General Practitioners.

With an interim report due by 18 August, it will examine the appropriateness of the identifying information required to access Medicare numbers in urgent and non-urgent medical situations, the effectiveness of the registration and authentication processes for the premises of health providers, the online security controls between external medical software providers and HPOS, and the adequacy of government systems in detecting inappropriate access.



White papers