When Department of Human Services executives turn up for their ritual Senate Estimates grilling, scheduled for late tonight, it could be worth watching for any agency that holds personal information about Australians.
Since late last month, DHS has been helping the Australian Federal Police investigate reports of Medicare payments being diverted into bank accounts controlled by identity thieves through Strikeforce Board. Part of the strikeforce’s role will be to help people “reclaim their identity” if it has been hijacked, according to Minister for Human Services Stuart Robert.
The need to keep private information safe is more than just a box-ticking compliance exercise, and it is near impossible to guarantee absolute security. But when it looks like a government agency is being taken for a ride, it’s best to have all the ducks in a row before appearing in the harsh glare of parliamentary oversight.
In a belated response to a series of questions from Opposition senator Doug Cameron on August 19, Robert said 369 alleged instances of potential identity fraud had been reported to the department and placed under review, but denied any “confirmed” cases of unauthorised access to private information about Medicare clients. Cameron has been pursuing the matter after departmental insiders told him scammers were accessing other people’s bank details and patient records to steal Medicare rebates.
The minister said DHS had not been able to detect any instances of its ICT systems being penetrated, but on Sunday, Cameron was able to criticise DHS for slow progress towards the mandatory requirements of the Australian Signals Directorate’s Information Security Manual, following an Australian National Audit Office recommendation to get up to speed with the ISM from early 2014.
In answer to a question Cameron asked in the last round of Budget Estimates, DHS confirmed last week that all systems that record, process and store Medicare customer data are now accredited but had to admit it had not fully implemented ANAO’s recommendation, giving more ammunition to the Opposition senator.
Cameron says his sources indicate the security problem could be “far bigger than originally thought” and asked a further seven questions, in which he now suggests the department is required to have notified the Office of the Australian Information Commissioner “that there may have been unauthorised and/or unlawful access to confidential personal information of Medicare clients” under the Personally Controlled Electronic Health Records Act 2012.
Robert says the monthly limit for online Medicare claims was cut to $150 to “reduce the potential for fraud” after the department picked up on “beyond trend growth in Medicare online claiming patterns” early this year, but Cameron chooses to quote the department saying it found a “high instance” of fraud.
Cameron also claims DHS has dragged its feet in reporting potential criminality to the AFP. “The AFP says that DHS has only asked for assistance for three cases of fraudulent use of Medicare information in the past two years,” he said last week. “Why so few?