This isn't the first time it's happened, so companies are supposed to be more careful.
Medicare card numbers are the latest personal details to be exposed as part of the Optus data breach.
Optus has confirmed this affects 14,900 valid Medicare numbers that have not expired, and a further 22,000 expired card numbers.
The Optus data breach continues to frustrate customers around the country. Medicare details have now been added to the list of lost personal information. https://t.co/LtZOLDwMfP #7NEWS pic.twitter.com/bWEpPLSvba
â 7NEWS Canberra (@7NewsCanberra) September 28, 2022
But this isnât the first time Australiansâ Medicare numbers have been exposed. And some privacy and cybersecurity experts have long been concerned about the security of our health data.
Hereâs what you can do if youâre concerned about the latest Medicare breach, and what needs to happen next.
Whatâs the big deal?
Your Medicare number gives you access to subsidised services across Australiaâs health system. Most Australians have a number, whether or not they use these services.
Your Medicare card (as a plastic card or digitally, on your phone) is an official identifier. So alongside a driverâs licence, tax file number, birth certificate and passport, it can also be used as âproof of identityâ. You may have supplied your Medicare number when opening a bank account, or signing up for a phone plan.
The idea is to minimise the chance people are using fake identities to wrongfully gain benefits from governments and business, including taking part in criminal activities such as money laundering.
Businesses and agencies are not meant to match your Medicare number with other data (eroding your privacy) other than in exceptional circumstances.
But they commonly accept sight of the physical/digital card bearing the number as proof of who you claim to be and risk data breaches by retaining copies of what they saw. Optus was such a business.
What should happen to protect your Medicare number?
In theory, your Medicare number is protected by a number of different types of legislation â both national and at the state/territory level.
There are privacy laws. These are meant to prevent businesses and government agencies from unauthorised use of Medicare and other official identifiers for profiling people. These laws are also meant to prevent undisclosed sharing with other entities, such as individuals or businesses.
Then there are cybersecurity and other criminal laws. These also aim to prevent unauthorised access, sale and sharing of your Medicare number and other data (known as metadata) stored by telecommunication providers.
Has this happened before?
Medicare numbers have been breached before, in 2017. An official inquiry noted trade in stolen Medicare numbers on the dark web.
The 2017 breach was apparently much larger, but the Optus numbers may grow as the investigation continues.
Experts have also raised concern about the governmentâs authorised release in 2016 of apparently de-identified health data. In fact, patient details could be identified, using a number of simple steps.
These two earlier examples should have meant both health agencies and businesses have taken extra care about their obligations to safeguard health data.
What if your Medicare number has been exposed?
Unauthorised use of a Medicare number doesnât necessarily result in large-scale identity crime.
For instance, Minister for Government Services Bill Shorten has said a Medicare number alone cannot unlock access to someoneâs myGov account (and therefore access to someoneâs welfare or tax details).
Following the Optus data breach, Services Australia have just informed me that myGov accounts cannot be accessed with just a Medicare number.
â Bill Shorten (@billshortenmp) September 27, 2022
For more info: https://t.co/Uk9Zzgqtf6
However, the Optus data breach â and future data breaches in the public and private sector â does provide Australian and overseas criminals with a set of identifiers (including passport and driverâs licence numbers), that can be used for a range of identity crimes, such as impersonating someone else.
Optus is advising affected customers to replace their Medicare card, at no cost, via their Medicare online account at myGov, the Express Plus Medicare mobile app, or by calling Medicare on 132 011.
Further details are available via Services Australia.
What else needs to happen?
As with many data breaches, details about what happened at Optus, how and who is affected are only slowly trickling out.
The Office of the Australian Information Commission â the national privacy regulator â needs to run a rigorous and detailed investigation and release its findings publicly.
This needs to be accompanied by a hard-hitting independent inquiry of what happened at Optus. This requires IT expertise, which the Office of the Australian Information Commission may not have. Such an inquiry would also demonstrate Optusâ commitment to learn from any failures.
As we have seen before, businesses and government agencies cannot assume a data breach âwonât happen to themâ. We need to find out what happened at Optus to ensure the future privacy of some of our most personal data.
Bruce Baer Arnold, Associate Professor, School of Law, University of Canberra
This article is republished from The Conversation under a Creative Commons licence. Read the original article.