The government has commissioned a review of the Health Professionals Online Services (HPOS) system, which is a possible source of the data offered by the illicit ‘Medicare Machine’ service.
The Medicare Machine was an offering on a Tor-protected ‘darknet’ marketplace — the site hosting the service has gone offline (amid rumours ranging from an upgrade in server infrastructure to an ‘exit scam’ by the site’s operators or a law enforcement crackdown).
For $30, the service would provide the Medicare care details of an individual. To function, the service requires the name and date of birth of the person whose details are sought. The details are the same that are required when using the HPOS system to retrieve an individual’s Medicare details.
Human services minister Alan Tudge has previously said that there has “not been a cyber security breach” linked to Medicare data, instead fingering “traditional criminal activity”.
The operator of the Medicare Machine service, who also claims to offer Australian credit card details and login credentials for Australian email accounts, has previously written that his or her service is “exploiting a vulnerability” that has a “solid foundation”.
HPOS was rolled out in 2009 with the aim of helping health services obtain Medicare numbers if a person sought treatment but didn’t have his or her card, with an enhanced lookup feature introduced in 2010.
The system includes online and phone components channels for obtaining details.
HPOS is used 45,000 times a day, according to the government. The service is accessible to registered healthcare services that have obtained a PKI certificate from the Department of Human Services.
“The government wants to ensure there is increased security in a system which is important to both patients and doctors,” said a statement released today by Tudge and health minister Greg Hunt.
“The system, which has not been significantly altered since being brought in eight years ago, has to be both convenient and utterly secure.”
The review will be led by Professor Peter Shergold and report by 30 September.