Patients will need to produce identification when using Medicare services at a clinic for the first time, the Federal Government has revealed.
Responding to recommendations from the Independent Review of Health Providers’ Access to Medicare Card Numbers, the Government said producing IDs “should not be onerous, and should not serve as a barrier to health care”.
Headed by Professor Peter Shergold AC, the review was established in July, days after it was revealed that Medicare numbers were illegally being sold on the “dark web”.
The Guardian, which broke the story, reported at the time that a “darknet trader” claimed to be able to sell the Medicare details of any Australian by exploiting a vulnerability in the technology platform used by healthcare professionals.
The professionals would go onto the platform to access a patient’s details when they could not produce a Medicare card.
Following the review, there will be an overhaul of the system that stores Medicare details and of the way in which health professionals access these details.
“The Review Panel recommended several changes and improvements to existing Health Professional Online Services access controls, including transitioning healthcare providers away from the Public Key Infrastructure certificates, which enable access to Department of Human Services systems, to the more modern and secure Provider Digital Access authentication; suspending inactive accounts to prevent inappropriate use; and introducing time limits for delegate arrangements,” the Government said.
Other recommendations that have been agreed on are for health professionals to seek permission from patients before accessing their Medicare details, and that individuals are permitted to see who has sought access to their details.
Of the 14 recommendations, seven will be fully implemented by 30 June, a further four by 31 December and one by mid-2019. The two remaining recommendations do not require changes to be made.
“By providing identification, consumers will be playing an essential role in supporting the ongoing integrity of the Medicare system … The Government takes seriously its obligation to protect the significant personal information of Australians, and is working to maintain and strengthen its defences against ever more sophisticated cyber and criminal attacks.
“While the implementation of the recommendations set out below may involve short-term inconvenience during the transitional stages, it will bring greater security to a system that benefits all Australians.
“All Australians had a role to play in protecting the security Medicare information,” the Government said.
The lack of outrage following revelations that the personal data of tens of thousands of Australians was up for sale on the dark web may have lulled the Government into believing it had dodged a bullet.
If that is the case, then we should all be concerned. Despite the Government’s proclamation that it “takes seriously its obligation to protect the significant personal information of Australians”, the opposite would appear to be true for several reasons.
The first is that it took the Government almost five months to respond to the review panel’s 14 recommendations. Given that it agreed with all of the recommendations (other than the one with which it merely “agreed in principle”), it is hard to believe that the Government was “grappling” with its response.
The panel took just 11 weeks to produce simple suggestions on how the systems used to store and transmit our personal data could be made more secure. The Government took almost twice as long to respond.
Soon after the security breach, the saga was referred to the Australian Federal Police (AFP).
An AFP spokesperson confirmed to YourLifeChoices that the investigation was still ongoing.
YourLifeChoices has also submitted a request to the Australian Information Commissioner’s (AIC) office to ascertain if it is looking into the data breach. At the time of writing we are still awaiting a response from the AIC.
From the AIC’s website, we do know that “some kinds of personal information may be more likely to cause an individual serious harm if compromised. Examples of the kinds of information that may increase the risk of serious harm if there is a data breach include:
- ‘sensitive information’, such as information about an individual’s health
- documents commonly used for identity fraud (including Medicare card, driver licence and passport details).
With or without receiving a complaint, the AIC can commence its own investigation into a breach of data. If it finds something untoward, its enforcement powers are significant. The Commissioner can:
- make a determination requiring the payment of compensation for damages or other remedies, such as the provision of access or the issuance of an apology (enforceable by the Federal Court or Federal Magistrates Court)
- accept an enforceable undertakings
- seek civil penalties of up to or apply for civil penalty orders of up to $340,000 for individuals and up to $1.7 million for companies, and
- seek an injunction regarding conduct that would contravene the Privacy Act.
No doubt, these powers are designed to ensure organisations and individuals are held to account when their actions, or lack thereof, imperil the welfare of others.
But the Government, so far, seems to be sidestepping the blame by declaring that keeping Medicare data secure is everybody else’s responsibility.
Someone needs to be held accountable for the Medicare card security breach. We entrust the Government with the most personal of our information and we need to feel secure that it cannot be hacked. The Government must not be allowed to shrug its shoulders and declare “nothing to see here”. Because for a while, there was plenty to see – on the dark web.
Have you had your private data breached? Have you been a victim of identity theft? Should the Government do more to protect our private details on its systems?