Dissenting Report by the Australian Greens

Circumstances in which Australians' personal information has been compromised and made available for sale illegally on the 'dark web'


1.1        The Australian Greens believe that Australians' health data, given its sensitive nature, should be treated with extreme care. The Medicare data breach event, in which an Australian journalist was able to purchase their own Medicare number on the dark web gave rise to significant concerns from the public regarding the safety of their health information.

1.2        As is noted in the majority Committee report, we note with concern that it was a journalist, not the government who identified this breach. The Greens concur with the committee report that the department's failure to promptly notify affected individuals once the breach was identified is concerning and that responsible data management requires prompt and timely disclosure when security breaches occur.

1.3        This breach event gave rise to concerns, from a number of submitters to this inquiry, about the security of the HPOS system, and potential parallels with the My Health Record system.

1.4        The Australian Greens referred this inquiry to the Finance and Public Administration Committee in light of these public concerns. While the Committee did not receive clear information about how this breach could occur, the inquiry has raised questions about the outdated security practices used in authenticating users of the HPOS system, and best practice in administering and protecting, personal health data.

1.5        The inquiry also raised concerns from some, about the use of Medicare numbers as a form of secondary ID, which gives them unintended value as a commodity related to identity theft and fraud, compromises patients safely using Medicare numbers for their intended purpose, which is to access healthcare.

1.6        The Australian Greens are particularly concerned by any impact this breach, or current practices, might have on the roll-out of the My Health Record system. We understand the clear benefits of a personally controlled electronic health record to best practice patient care, when executed to the highest standards of protection.

1.7        We note the points made by security and privacy submitters to the inquiry, regarding the need for best practice security in dealing with this sensitive data. The Australian Greens believe that an appropriate balance must be reached to ensure the best patient care outcomes through the use of electronic health records, and appropriate privacy and security of personal information of Australians.

1.8        We share concerns raised by the AMA and RACGP in the inquiry in relation to vulnerable groups and their access to healthcare.

Medicare numbers as a form of ID

1.9        The majority committee report acknowledges that "the secondary role of Medicare card numbers as an aspect of proof of identity under the DVS makes the card valuable for identity theft", but that "the secondary use of the Medicare card as a proof of identity document under the DVS falls within the Attorney-General's portfolio".[1] The Australian Greens support the recommendation made in several submissions that the use of Medicare numbers under the Attorney-General’s Document Verification Service (DVS) scheme should be reviewed.[2]

Access to healthcare information

1.10      The majority committee report states that the committee is "satisfied that the potential for identity theft by means of a stolen Medicare card number does not result in an individual's health information being accessed".[3] However, Mr Tim Kelsey, Chief Executive Officer, ADHA testified that a Medicare number is one of the five pieces of information that grants access to My Health Record.[4] Future Wise notes that:

the Medicare number was supposed to be an additional point of identification to prevent the unauthorised access by registered healthcare workers, so while technically correct that the medicare number of itself does not allow access to myHR, it forms a part of the puzzle.[5]

Prior incidents

1.11      The Australian Greens share the concerns expressed in the majority committee report that "the issue of potential identity fraud has arisen before" and that the "submissions from the department do not indicate that this risk is fully understood, or has been addressed".[6] We recommend that DHS and ADHA are required to report on the knowledge, actions, and outcomes in regards to these prior incidents of fraud related to Medicare numbers.

Security standards

1.12      The majority committee report notes that a range of security issues were identified in various submissions, but not does provide a committee view or recommendations related to these issues.[7] The Australian Greens recommend that these issues are addressed by DHS and ADHA to bring security of HPOS and My Health Record up to world best-practice prior to My Health Record transitioning to an opt-out system.

1.13      Mr Paul Power, eHealth Privacy, explained that the HPOS and My Health Record systems are fundamentally insecure, and require an unachievable level of security to be made secure, due to the sheer number of people who have access to all records in the system.[8] Mr Power notes that My Health Record is "unlike other large government databases where restrictions are such that no users have access to all records" and that there is "no risk mitigation to protect My Health Records implemented as a central repository accessed over the internet by a large number of legitimate users". Mr Power points to the system used in Germany as an alternative, where master data is held on an encrypted eHealth card by each citizen.

1.14      Mr Paul Power, eHealth Privacy, notes that it is virtually impossible to determine who is responsible for a breach, as "although we may be able to identify one or many legitimate access points as a source of breach, there is no reasonable way to rule out the possibility that such sources have been hacked."[9]

1.15      Future Wise notes that the security measures used for HPOS only attempt to restrict unauthorised access, whereas "improper use by users who do have a valid reason for accessing the system is not prevented."[10] Future Wise also states that "unequivocally the greatest risk to the privacy of myHealthRecord holders" is not hackers or cybercriminals, but "improper access by authorised users".[11]

1.16      Future Wise also highlights that registration to PRODA is not protected against identity theft:

Registration is via three forms of identification, verified online. There is no protection against identity theft; the combination of a compromised email address and a stolen wallet, combined with publicly accessible information from the web would be sufficient to register for an account with identity verification. Status as a healthcare worker is verified by comparing the biographic details entered with the provider’s registration number with the Australian Health Professionals Regulation Authority registration number. This number is available to public search via APHRA’s website, and requires only the name and professional stream of a healthcare worker to find.[12]

1.17      Mr Power states that the two methods of access to HPOS (PKI and PRODA) are both vulnerable to attack.[13] Dr Robert Merkel states that neither PKI nor PRODA implement "contemporary information security best practices", with issues related to the PKI system's use of cryptographic hash functions and the PRODA system's use of email-based 2-factor authentication.[14]

1.18      Future Wise also notes issues with the 2-factor authentication (2FA) used for HPOS that involves storing a certificate on a memory stick, which is often left plugged into a practice admin computer, compromising security.[15] Future Wise also notes issues with the Android App that is an option for 2FA for PRODA, as well as no option for widely accepted 2FA standards such as OTP/TOTP.[16]

1.19      Future Wise also state that the Australian Government’s data protection practices cannot be considered best practice:

Major Australian Government IT projects have been beset with technical and planning failures and subject to widespread criticism in the mainstream media, in technical circles and by the general public. In the last 18 months, in addition to this breach, there has been the reidentification of provider numbers from the Data.gov.au Medicare dataset; the leaking of parliamentarians’ phone numbers, the deliberate release of personal information of blogger Andie Fox in response to her articles about the Centrelink automated debt recovery, and the public service census data breach potentially leaking the personal details of 96,000 public servants.

These examples are specifically related to data protection, and have occurred at the same time as a large number of non-security-related IT issues – the electronic census website outage now popularly known as "#Censusfail" and multiple outages of the Australian Tax Office's website.[17]

Conclusion and Recommendations

1.20      The Australian Greens are concerned that this breach occurred and we call on the government to take the necessary steps to ensure that health services employ world best-practice data security practices. We look forward to the government’s response to this inquiry and the “Independent Review of Health Providers’ Access to Medicare Card Numbers”, with detailed next steps that the government will take to ensure that this kind of breach is not repeated in future.

Recommendation 1

1.21      The Australian Greens recommend that the use of Medicare numbers under the Attorney-General's Document Verification Service (DVS) scheme should be reviewed.

Recommendation 2

1.22      The Australian Greens recommend that security and privacy issues raised in this inquiry are addressed by DHS and ADHA to bring security of HPOS and My Health Record up to world best-practice.

Recommendation 3

1.23      The Australian Greens recommend that DHS and ADHA report on their knowledge, actions, and outcomes in regards to the prior incidents of fraud related to Medicare numbers, as raised in October 2015 Estimates.

Recommendation 4

1.24      The Australian Greens recommend that the government implements the recommendations of the "Independent Review of Health Providers' Access to Medicare Card Numbers" as soon as possible.

Senator Richard Di Natale
Australian Greens

Navigation: Previous Page | Contents | Next Page