Concerns Raised Over Security of Medicare Details

Pile of green Medicare cards
An investigating journalist has found that it is possible to purchase the Medicare card details of Australian residents via an online auction site for illegal products, also known as a dark web marketplace. Those wishing to obtain such details simply need to provide the full name and date of birth of an individual in order to receive their Medicare card number and Individual Reference Number (IRN). The hacker selling the information has claimed they are exploiting a vulnerability in the system which allows them to run software which pulls off the required data.

The Australian Government claim it is not a cyber security attack and that the information provided is not sufficient to access personal health record information. However, Medicare cards are typically worth around 40 identification points and may be used in identification theft or to create false identities to open bank accounts, buy property, or obtain a credit card. In 2015 thousands of dollars were lost to a sophisticated scam operating in three states which used personal details taken from Medicare records which were then used to open bank accounts and lodge false claims.

IT experts believe that the availability of Medicare data on the dark web heightens security concerns about the My Health Record scheme. In the most recent budget, the government announced funding for continuation and expansion of the My Health Record, a centralised database on which a digital health record for every Australian will be created unless they opt out. The system contains information about an individual’s health, medications, allergies and treatment. The system also allows for clinical documents to be uploaded including health summaries, discharge summaries, diagnostic and pathology reports, and referrals.

Almost 5 million, around 20% of Australians currently have a My Health Record, which aims to more efficiently coordinate services and provide continuity of care. IT experts say this latest security breach on data shows that governments have to improve data protection systems and that My Health Records may be available to hackers who have an individual’s personal information and Medicare number. One suggestion has been to adopt the system used in Germany and attach personal health information to the Medicare card itself via a chip rather than storing it in a centralised database.

The Department of Human Services say they are aware of the latest issue and are investigating along with the Australian Federal Police, and that those individuals who have had their Medicare card numbers sold online are being contacted and notified.