A data breach allowing the Medicare number and associated personal deets of any Aussie to be purchased for about $30 worth of bitcoin raises serious concerns about the government’s ability to protect public data.
News of the breach broke on Tuesday, when The Guardian revealed that a darknet vendor was auctioning Medicare card details of Australians on request.
According to The Guardian, the seller calls the service “the Medicare machine”, and claims to be exploiting a vulnerability that has a “solid foundation”.
The Federal Police have launched an investigation into the breach and the Turnbull government has been quick to downplay the scope of the breach.
In a statement, Human Services Minister Alan Tudge said that “only Medicare numbers” were leaked and that used alone, they could not allow criminals to access health records.
“Any apparent unauthorised access to Medicare card numbers is nevertheless of great concern,” he added. “I cannot comment on cyber operations, however, I confirm that investigations into activities on the dark web occur continually. The security of personal data is an extremely serious matter. Thorough investigations are conducted whenever claims such as this are made.”
But the breach has raised concerns from both medical and security experts.
ABC News reports that the Australian Medical Association (AMA) is doubting the Government’s ability to protect patient data.
In 2012, the government launched My Health Record, a system which digitally stores medical information including patient’s reports, conditions, allergies and past treatments.
According to the My Health Record site, almost 20 percent of Australians have registered, with over 2 million clinical documents already uploaded. In the 2017 Budget, it was announced that in mid-2018, all Aussies will be automatically opted into the plan. However, you may still choose to opt out.
AMA President Michael Gannon told ABC News that the Medicare breach would make Australians feel uncomfortable using the new system.
“It is so important, as it is with a paper record, as it is with other forms of communication that are deeply personal matters, that they are secure,” he said.
Gannon believes that My Health Record is important in improving healthcare for Australians.
A spokesman from the Health Department told ABC that My Health Record has never been breached and that the security system has “multiple layers” to ensure protection. Maybe they should share their security system with Medicare.
Wait a minute – aren’t they both part of the Government?
Digital rights advocacy group Electronic Frontiers Australia has responded to the Medicare breach by calling on the Government to reconsider My Health Record.
— EFA (@efa_oz) July 4, 2017
Medical IT specialist Paul Power told The Sydney Morning Herald that while the Medicare breach may not allow access to health records, it does highlight a problem with large centralised data banks.
“Our Medicare data is held in a centralised location and the proposal is to have My Health Records hosted in a centralised location,” he said. “The kind of breach that has evidently happened with the Medicare data can – and almost certainly will – happen with the My Health Record data if we go ahead and host it on this same kind of centralised depository.”
Once again we find ourselves facing one of the most common trades in the modern era: convenience for privacy.
On one hand, it makes sense for the Government to have access to all our medical data because it can be easily distributed to doctors and hospitals around the country. On the other hand, why should the Government have my medical data if they’re unable to look after it?
Back in the day, Hippocrates came up with a little thing called The Hippocratic Oath which doctors still strive to uphold.
One part of the Oath, in particular, seems in jeopardy: “I will respect the privacy of my patients, for their problems are not disclosed to me that the world may know.”
Perhaps a rewrite for 2017: “I will respect the privacy of my patients, unless there is a data breach and then, oh damn, now it’s on the dark web.”