Medicare access to be reviewed after breach discovery

The federal government has ordered a review of the way heathcare providers access Medicare card numbers following the revelation that the details were being sold online.

Last week The Guardian revealed Medicare card data for any Australian was being offered on the dark web for around A$29 per file.

The manner in which the data was being sold led to the presumption that the unknown individual was exploiting legitimate access to obtain the details.

Alongside payment, the seller requested a target's full name and date of birth - the same data required for a search on Human Services' HPOS Medicare verification service for healthcare providers.

The data the seller promised to provide was a Medicare card number and individual reference number (IRN) - the same data returned in an HPOS search.

The federal government has said the card data breach was likely perpetrated through "traditional criminal activity" rather than a vulnerability in Medicare systems. It has declined to provide any more detail while an AFP investigation is underway.

Just under 210,000 healthcare workers - including medical practitioners as well as administrative staff - across Australia have access to HPOS, according to Human Services' most recent annual report. The system was accessed 3.9 million times during 2015-16.

The government today said the system not been significantly updated since it was first introduced eight years ago. It was introduced to allow people to get emergency treatment if they don't have their card with them.

Ministers Alan Tudge and Greg Hunt said the review would examine the balance between the system's convenience and security.

The review will be led by professor Peter Shergold, assisted by president of the Australian Medical Association Michael Gannon and president of the Royal Australian College of General Practitioners Bastian Seidel.