A Senate committee has rapped the Department of Human Services for failing to address potential identity fraud involving stolen Medicare details.
The Finance and Public Administration References Committee inquired into the circumstances in which Australians’ Medicare numbers were allegedly stolen and put up for sale on the dark net.
In response to the breach, a separate report has recommended the government tighten controls on health professionals’ access to Medicare numbers, including a phase-out of telephone services over two years.
The Senate committee said it was not known how the Medicare numbers were appropriated. Some experts had said the breach most likely arose from an authorised user of Health Professional Online Services (HPOS), or from the theft of HPOS authentification credentials.
But the committee suggested the department had underestimated the threat.
“The submissions from the department do not indicate that this risk is fully understood, or has been addressed,” the committee said in its report, released this week.
The committee noted “with great concern” that the issue of potential identity fraud involving Medicare numbers had arisen before, and the department had been questioned about it at a Senate Estimates hearing in October 2015.
In the 2015 hearing, the department confirmed that the Medicare details of 369 individuals had been appropriated over a two-year period and rebates had been diverted to fake bank accounts.
In the “dark net” affair, revealed by The Guardian in July, the committee also noted that it was a media organisation rather than government monitoring that brought the security breach to light.
“The committee is also concerned by the department’s failure to promptly notify affected individuals once the breach was notified,” it said.
It said responsible data management required prompt disclosure when security breaches occurred.
The criticism comes on the heels of an independent report from former public service chief Sir Peter Shergold, which recommended health professionals should be encouraged to use HPOS as the primary means of accessing or confirming a patient’s Medicare number.
The report said telephone channels should be phased out in two years, in all but exceptional circumstances. In 2016-17, health providers made 500,000 calls to the Medicare-provider inquiry line.
In the interim, security checks for phone access should be strengthened with additional questions to be answered by health professionals or their delegates.
Health professionals should also be required to take “reasonable steps” to confirm the identity of patients when they are first treated.
Authentification for HPOS should be moved from Public Key Infrastructure to (PKI) to Provider Digital Access (PRODA) system within three years, the Shergold report said.
The report, issued last weekend, recommended delegations within HPOS should need renewal every 12 months, and HPOS accounts should be suspended after being inactive for six months, to reduce the risk of unauthorised use.
The review, assisted by RACGP President Dr Bastian Seidel and Dr Kean-Seng Lim, Deputy Chair of the AMA’s Council of General Practice, also backed stronger patient-privacy rules and concluded that Medicare cards should remain in use as a form of secondary evidence of identity.
In submissions, the RACGP and the Pharmacy Guild supported a proposal to require patients to show proof of identity when they first visit a health service.
But the AMA, the Northern Territory Health Department and the National Aboriginal Community Controlled Health Organisation argued against the step.
“It would place an unnecessary administration burden on practices and put in place an unnecessary barrier to care for patients,” the AMA said.