An audit of Medicare's customer database has found a small number of cases of 'intertwined' customer records where two people's records have been combined, giving rise to "privacy and clinical safety risks", according to an auditor-general report tabled today.
According to the Department of Human Services, 34 instances of 'intertwining' have been discovered since the department started maintaining records on the issue in 2011. The DHS has a working group dedicated to eliminating the issue.
More than 23 million people were part of the Medicare system in 2012-13, including 618,533 new enrolments, the auditor-general's report notes. There were 29.3 million customer records when the Australian National Audit Office (ANAO) accessed the database in September last year.
Details of users of Medicare services are stored in a database called the Consumer Directory. The audit found that the DHS has "not been fully effective in maintaining the integrity of data" in the database.
An analysis by the ANAO found at least 18,000 "possible" duplicate customers, "active records for customers without an entitlement as well as inactive records and some with unusual activity" and "records which had customer information inconsistently, inaccurately and incompletely recorded."
"While the number of compromised records held in the database is not significant given the scale of the department’s data holdings, the data integrity issues referred to above indicate that departmental procedures and key elements of the data input control framework require management attention to improve operational efficiency, better protect customer privacy and clinical safety, and reduce the risk of fraudulent activity," the report states.
"The extent of the data integrity issues highlighted by the audit and the length of time these issues have been evident also indicate a need for the department to periodically assess the underlying causes of data integrity issues and implement necessary treatments."
The audit found that the Department of Human Services had failed to comply with two mandatory standards in the government's Information Security Manual: "The department has not completed all of the mandatory security documentation required by the ISM for the systems that record, process and store Medicare customer data," the report states.
"Further, it has not completed the certification and accreditation processes for these systems or most of the infrastructure that supports them, as required by the ISM. Fulfilling these requirements would assist Human Services to identify and mitigate risks to the security and confidentiality of Medicare customer data."
A DHS statement in a response to the auditor-general's report said that the department "recognises that the audit highlights several opportunities to further strengthen and enhance the management and integrity of the Medicare customer data and is strongly committed to ensuring the ongoing completeness, accuracy and reliability of customer records."
Today's report is a follow-up to one issued by the ANAO in 2005, which found that although the "great majority" of Medicare enrolment data was "sufficiently accurate, complete and up to date to support HIC’s efficient administration of Medicare", it also warned that "some data, particularly in fields containing various dates, was logically inconsistent or in error".
That audit found that a number of records were "probably for people who are deceased", while data in some records indicated that a person had enrolled in Medicare before they were born. A number of people had duplicate entries in the Consumer Directory.