I’ve given out my Medicare number. How worried should I be about the latest Optus data breach?

Bruce Baer Arnold, Associate Professor, School of Law, University of Canberra

Medicare card numbers are the latest personal details to be exposed as part of the Optus data breach.

Optus has confirmed this affects 14,900 valid Medicare numbers that have not expired, and a further 22,000 expired card numbers.

But this isn’t the first time Australians’ Medicare numbers have been exposed. And some privacy and cybersecurity experts have long been concerned about the security of our health data.

Here’s what you can do if you’re concerned about the latest Medicare breach, and what needs to happen next.

What’s the big deal?

Your Medicare number gives you access to subsidised services across Australia’s health system. Most Australians have a number, whether or not they use these services.

Your Medicare card (as a plastic card or digitally, on your phone) is an official identifier. So alongside a driver’s licence, tax file number, birth certificate and passport, it can also be used as “proof of identity”. You may have supplied your Medicare number when opening a bank account, or signing up for a phone plan.

The idea is to minimise the chance people are using fake identities to wrongfully gain benefits from governments and business, including taking part in criminal activities such as money laundering.

Businesses and agencies are not meant to match your Medicare number with other data (eroding your privacy) other than in exceptional circumstances.

But they commonly accept sight of the physical/digital card bearing the number as proof of who you claim to be and risk data breaches by retaining copies of what they saw. Optus was such a business.

What should happen to protect your Medicare number?

In theory, your Medicare number is protected by a number of different types of legislation – both national and at the state/territory level.

There are privacy laws. These are meant to prevent businesses and government agencies from unauthorised use of Medicare and other official identifiers for profiling people. These laws are also meant to prevent undisclosed sharing with other entities, such as individuals or businesses.

Then there are cybersecurity and other criminal laws. These also aim to prevent unauthorised access, sale and sharing of your Medicare number and other data (known as metadata) stored by telecommunication providers.

Has this happened before?

Medicare numbers have been breached before, in 2017. An official inquiry noted trade in stolen Medicare numbers on the dark web.

The 2017 breach was apparently much larger, but the Optus numbers may grow as the investigation continues.

Experts have also raised concern about the government’s authorised release in 2016 of apparently de-identified health data. In fact, patient details could be identified, using a number of simple steps.

These two earlier examples should have meant both health agencies and businesses have taken extra care about their obligations to safeguard health data.

What if your Medicare number has been exposed?

Unauthorised use of a Medicare number doesn’t necessarily result in large-scale identity crime.

For instance, Minister for Government Services Bill Shorten has said a Medicare number alone cannot unlock access to someone’s myGov account (and therefore access to someone’s welfare or tax details).

However, the Optus data breach – and future data breaches in the public and private sector – does provide Australian and overseas criminals with a set of identifiers (including passport and driver’s licence numbers), that can be used for a range of identity crimes, such as impersonating someone else.

Optus is advising affected customers to replace their Medicare card, at no cost, via their Medicare online account at myGov, the Express Plus Medicare mobile app, or by calling Medicare on 132 011.

Further details are available via Services Australia.

What else needs to happen?

As with many data breaches, details about what happened at Optus, how and who is affected are only slowly trickling out.

The Office of the Australian Information Commission – the national privacy regulator – needs to run a rigorous and detailed investigation and release its findings publicly.

This needs to be accompanied by a hard-hitting independent inquiry of what happened at Optus. This requires IT expertise, which the Office of the Australian Information Commission may not have. Such an inquiry would also demonstrate Optus’ commitment to learn from any failures.

As we have seen before, businesses and government agencies cannot assume a data breach “won’t happen to them”. We need to find out what happened at Optus to ensure the future privacy of some of our most personal data.The Conversation

This article is republished from The Conversation under a Creative Commons license. Read the original article.

Author

  • Dr Bruce Baer Arnold is an Associate Professor in the School of Law at the University of Canberra. He has a strong interest in privacy, data protection, artificial intelligence and robotics, intellectual property and health sector regulation. He is on the editorial board of Privacy Law Bulletin and an OECD Health Information Infrastructure panellist. His work has appeared in Melbourne University Law Review, Journal of Medical Ethics, Monash Law Review, Laws, Adelaide Law Review, Local Government Law Journal, Alternative Law Journal and other publications. Dr Arnold was a former board member of the Australian Privacy Foundation and a member of OECD data protection working parties.

    View all posts