Medicare 'dark web' scam could mean more red tape for GPs

Practices may face tougher security measures when looking up patients' Medicare details following claims hackers are selling patient Medicare numbers on the dark web.

The Federal Government has announced it will review the Medicare number lookup system, which GPs have used since 2009, after it emerged patients' Medicare numbers have been selling for about $30 each.

An initial concern was that cyber criminals had hacked into the Department of Human Services computer system to access the data.

But it now seems more likely that somebody logged into the Health Professional Online Services (HPOS) portal to use the Medicare number lookup system.

Related News: AFP investigating Medicare dark web sales

The HPOS portal is used by 45,000 health practitioners and other workers every day.

“The government wants to ensure that there is increased security in a system which is important to both patients and doctors,” the government said in a statement.

“The system, which has not been significantly altered since being brought in eight years ago, has to be both convenient and utterly secure."

Both RACGP president Dr Bastian Seidel and AMA president Dr Michael Gannon will take part in the review, which will report by 30 September.

The government introduced the system to ensure patients could access Medicare-funded care even if they did not have their Medicare card.

However, GPs have previously complained that HPOS is difficult to log into and navigate — even with its existing layers of security.

Related News: GPs reject ‘unusable’ online authority scripts

Opposition health spokesperson Catherine King said the recent breaches had serious repercussions for “the integrity of our entire Medicare system”.

“This information is at the heart of our Medicare system and the Turnbull Government can’t protect it.”

Medicare numbers alone are not enough for someone to access another person’s medical records.

However, the core concern has been the potential for identity theft, with criminals potentially using Medicare numbers along with other information to create a false identity.

According to the Department of Human Services, the review will cover:

  • The type of identifying information that a person should be required to produce to access Medicare treatment in both urgent and non-urgent medical situations
  • The effectiveness of controls over registration and authentication processes at the health provider's premises to access Medicare card numbers. 
  • Security risks and controls surrounding the provision of Medicare numbers across the telephone channel, and the online connection between external medical software providers and HPOS.
  • The sufficiency of control by patients and the appropriateness of patient notification regarding access to their Medicare number.
  • The adequacy of compliance systems to identify any potential inappropriate access to a patient’s Medicare number.
  • Any other identified area of potential weakness associated with policy, process, procedures and systems in relation to accessibility of Medicare numbers.