The federal government was warned more than three years ago of security deficiencies surrounding personal Medicare data, with the Department of Human Services told it was not fully complying with spy agency rules.
Domino – row of white dominoes isolated on white background Medicare cards falling like dominoes. Page one graphic – July 5 2017. Credit Stephen Kiprillis. Photo: Stephen Kiprillis
Questioning the department’s ability to keep the data safe from “security threats from external and internal sources”, the government auditor made a series of recommendations in April 2014 but it is unclear if they were fully implemented.
The Australian National Audit Office concerns emerged as the Greens announced they would push for a Senate inquiry into revelations that Medicare numbers are available for sale on the “dark net”, a shadowy corner of the internet where criminal activity flourishes. It remains unclear how the numbers are being accessed.
Human Services Minister Alan Tudge Photo: Andrew Meares
Human Services Minister Alan Tudge maintains it is “highly unlikely” the department’s IT systems have been hacked, repeating his claim that the breach is more likely the result of “traditional criminal activity”.
“The Australian Federal Police will get to the bottom of this and I have to be a bit careful in terms of what I say that I do not jeopardise their investigation,” he said.
The Auditor-General’s 2014 report found the department’s Medicare data security procedures did not fully comply fully with the mandatory requirements of the Australian government’s Information Security Manual – rules set out by the Australian Signals Directorate, the country’s top electronic spy agency.
“Human Services undertakes security initiatives outlined in the ISM but falls short of complying fully with the standards outlined,” the report said.
“Fulfilling these requirements would assist Human Services to identify and mitigate risks to the security and confidentiality of Medicare customer data.”
Complying with the rules would help the department “withstand security threats from external and internal sources” the auditor said, warning that a failure to act significantly increased the risk of “fraudulent activity”.
The department was asked whether it had fully implemented the auditor’s recommendations but it did not respond before deadline.
But in the 2014 audit, the ANAO pointed out that the department had failed to implement the security recommendations of a similar 2004 report.
However an ANAO report earlier this year did label the department “cyber resilient”, saying it was better prepared for cyber attack than the Australian Tax Office and the Department of Immigration and Border Protection.
Labor’s health spokeswoman Catherine King said it was “extremely concerning” the government was warned about Medicare data security issues three years ago “and we are still in this situation”.
Greens leader Dr Richard Di Natale said he had grave concerns about the breach and what it meant for public confidence in electronic health records, which will roll out to most Australians in the coming year.
“That is why the Greens will be moving for a Senate inquiry when we return to ensure that this issue is dealt with and that we don’t have the same vulnerabilities across other areas,” he said.
Australian Medical Association President Michael Gannon said electronic health records were “the future” but both doctors and patients needed reassurance that the integrity of the information would be guaranteed.
“If there’s any possible threat to confidential patient information, Australia’s doctors will speak up,” Dr Gannon told radio station 6PR in Perth.