Not wide-scale, and no IT breach, says minister.
The federal government says there has been no breach of the Department of Human Services’ IT systems and the Medicare card data currently on sale likely affects only a small number of people.
Human Services minister Alan Tudge today made the comments despite the dark web vendor of the Medicare information claiming to have access to any Australian’s Medicare card.
The Guardian revealed today that an unknown individual was offering the details for around A$29 per file.
The online sale – confirmed by iTnews – claims the “Medicare patient details … of any Australian citizen” can be accessed for A$29 and the person’s first and last name and date of birth.
“Details provided include Medicare number, IRN and expiry date,” the listing states.
The vendor also promised to soon offer “mass batch requesting of details” via CSV file. He/she claims to have accessed the details through a vulnerability with a “solid foundation”.
The federal government today sought to downplay the impact of the security breach, arguing health records had not been affected.
In a press conference on Tuesday afternoon, Human Services Minister Alan Tudge said there was “no indication there has been a wide-scale breach”.
“The suggestions are the numbers are very small and we are talking about the acquisition of Medicare card numbers only,” Tudge said.
“Nobody’s health records can be obtained just with a Medicare card number.”
He said DHS had informed him there had been no breach of its systems.
“It is more likely to have been a traditional criminal activity,” he said.
He did not elaborate. It is likely the minister is referring to traditional fraud activities like card skimming or the compromise of an individual with privileged access to data.
The listing for the Medicare card records was still active online at the time of writing.
Third party breach?
The information the vendor asks for in return for a Medicare number – full name and date of birth – is the same data required for a search on Human Services’ HPOS Medicare verification service for healthcare providers.
“When a Medicare card number is unavailable, you can enter personal information such as surname, first name and date of birth for the patient,” its website states. These are the only mandatory search fields.
It will return a Medicare card number, individual reference number (IRN), and first name – the same data the vendor promises to supply after payment.
While the government claimed that the breach had not impacted health records, a 2015 privacy impact assessment on the then-named PCEHR e-health records opt-out scheme shows records can be accessed with the above combined data.
The 2015 privacy assessment (archived) on the now-named My Health Record program shows an individual’s record can be accessed by a healthcare provider with their full name, date of birth, gender and Medicare card number.
Privacy expert Anna Johnston of Salinger Privacy, who worked on the assessment, said the addition of the Medicare card number was intended to stop healthcare workers trawling through the system to look up people who weren’t their patients.
“But if all that is needed to find out someone’s Medicare number (whether unlawfully through a data breach, or by design through the health provider portal) is their full name and date of birth, then to me this seems to undermine one of the ways that privacy risks were supposed to be minimised in the design of the My Health Record system,” she told iTnews.
She noted that while the impact of this type of abuse of the system would currently be limited given the MyHR system is in the early stages of transitioning to opt-out, it would quickly have much wider implications as the rollout scales.
View the Original article