The federal government is reviewing healthcare providers’ online access to Medicare card numbers after a breach in which patients’ Medicare numbers were offered for sale.
The review, led by Professor Peter Shergold and a panel including AMA president Michael Gannon and his RACGP counterpart Dr Bastian Seidel, will start work immediately to improve security and report by back by September 30.
“Medicare cards and Medicare numbers have always been sought by criminals,” Health Minister Greg Hunt said in a joint statement with Human Service Minster Alan Tudge.
“This review will identify options to improve the security of Medicare numbers while continuing to support the accessibility of medical care.”
The Health Professionals Online Services is utilised 45,000 times a day, allowing GPs, hospitals and other providers to access a Medicare card number using a name and date of birth.
“The system, which has not been significantly altered since being brought in eight years ago, has to be both convenient and utterly secure,” the ministers’ statement said.
“The review team will examine this balance to determine its adequacy in today’s context.”
The system was introduced in 2009 to ensure people in an emergency could get treatment immediately, even if they did not have their card.
The review follows an alleged breach related to “a small number of Medicare card numbers” which is being investigated by the Australia Federal Police.
“We re-emphasise that a Medicare card number alone does not provide access to any medical or clinical records,” the statement said.
The review will examine and advise on:
- The type of identifying information that a person should be required to produce to access Medicare treatment in both urgent and non-urgent medical situations.
- The effectiveness of controls over registration and authentication processes at the health provider’s premises to access Medicare card numbers.
- Security risks and controls surrounding the provision of Medicare numbers across the telephone channel, and the online connection between external medical software providers and HPOS.
- The sufficiency of control by patients and the appropriateness of patient notification regarding access to their Medicare number.
- The adequacy of compliance systems to identify any potential inappropriate access to a patient’s Medicare number.
- Any other identified area of potential weakness associated with policy, process, procedures and systems in relation to accessibility of Medicare numbers.