Data breach of Australia’s Medicare exposed, EHR safety concerns raised

20170713100000, Nilufer Hajra
Data breach of Australia’s Medicare exposed, EHR safety concerns raised
It has been discovered that since October 2016, a darknet vendor has been selling Australians’ Medicare details.
The recent health data breach in Australia has forced the Australian Government to pass mandatory data breach notification laws that all health service providers will have to follow.

Under the new laws, all health service providers in the private sector will have 30 days to react as soon as they realise there has been a data breach. Investigating the breach and publishing a statement to notify the Privacy Commissioner of the breach and patients, especially if patients are affected, are the steps that the Australian Government would want private health service providers to take.

Since the government has announced a new opt-out online health record in the 2017 Budget, a deeper look into security concerns will also be pushed to maintain the public trust and confidence in the security of online health data.

According to the Australian Government, it is the healthcare providers’ responsibility to protect personal data from attacks by cyber criminals. Since nothing is saved on paper anymore, the stakes are higher when it comes to online data breach and the type of records that can be leaked.

Embarrassed by the data breach


The new law enforced by the Australian Government follows the latest data breach that has left health service providers red in the face. It has been discovered that since October 2016, a darknet vendor has been selling Australians’ Medicare details.

The dark web vendor who sells Medicare numbers stocks a range of other fraud products. Photo credit: sbs.com.au
The dark web vendor who sells Medicare numbers stocks a range of other fraud products. Photo credit: sbs.com.au

Patients’ health information was being sold on a popular auction site and Alan Tudge, the human services minister, has admitted that his department was not aware of this data breach. What made matters worse was that Department of Human Services only found out of this data breach claim from the Guardian newspaper.

The investigation by Guardian Australia revealed all the shocking details in its paper, including the fact that at least 75 patients’ personal details have been sold and that one of its reporters purchased his own Medicare number at AUD $30. Due to the seriousness of this data breach, the Department of Human Services has referred this case to the Australian Federal Police.

Government agencies are highlighting approaches that can help all healthcare providers to know when there’s a serious data breach. One of the approaches includes monitoring popular dark websites to make sure that their patients’ information are not being displayed, auctioned off or sold.

The Department of Human Services sees this data breach as a traditional criminal activity instead of a hack or a cyber-attack. A traditional criminal activity is when personal information or credentials are stolen on the spot not online, such as through a break-in or theft, and these details are then used for fraudulent purposes.

Medical officers are concerned on the safety of EHR


Doctors are concerned now at how this breach can make patients turn away from the Australian Government’s digital medical file scheme, a AUD 1 billion My Health Record System that is set to be implemented for all residents of Australia in 2018. This digital medical file scheme stores patients’ medical information, such as allergies, medical conditions, treatments, and scan reports.

Questions are being asked and answers are being demanded from the Government by the Australian Medical Association on this issue specifically on how patient confidentiality should be protected.

“This is a deeply concerning development. It is so important that this information has integrity,” Michael Gannon, the president of the Australian Medical Association, said.

“The electronic health record has the potential to reduce adverse drug reactions, to reduce unnecessary duplication of investigations,” he explained. “But to do all that both doctors and patients needs absolute confidence in the integrity of personal information.”

Speaking on this, a Health Department spokesman said that the Government’s digital medical file scheme has multiple layers of security to protect access to the system and that so far, there have been no security breaches of patient data in the system. However, privacy advocacy groups are not too happy with this data breach.

The executive officer of the Electronic Frontiers Australia, Jon Lawrence, said “This breach is particularly concerning as the government is working to implement a system of mandatory electronic health records.”

“If core identity-related information such as Medicare numbers can’t be effectively protected, the government should be seriously reconsidering its decision to mandate the creation of electronic health records for the entire population.”

Though Mr. Tudge declined to elaborate on the official investigation, he reiterated that the sensitive data of patients are well-protected by saying, “Nobody's health records can be accessed just with a Medicare card number. Anybody who suggests otherwise is irresponsible and is fear-mongering.” MIMS

Read more:
Ensuring the safety of digital healthcare
Digital healthcare necessitates improved cyber security and a prepared society
The converging lines between tech giants and healthcare

Sources:
https://www.theguardian.com/australia-news/2017/jul/05/medicare-data-breach-alan-tudge-admits-department-unaware-darknet-vendor-selling-card-details
http://www.sbs.com.au/news/article/2017/07/04/medicare-data-breach-tip-iceberg-world-australian-dark-web-fraud
http://www.abc.net.au/news/2017-07-05/medicare-doctors-questions-medical-record-confidentiality/8679356
http://www.smh.com.au/federal-politics/political-news/a-real-mediscare-data-breach-raises-new-concerns-about-security-of-health-records-20170704-gx4ajt.html
http://thenewdaily.com.au/news/national/2017/07/05/government-contacts-medicare-breach-victims/
https://www.theguardian.com/australia-news/2017/jul/04/the-medicare-machine-patient-details-of-any-australian-for-sale-on-darknet