Key Points
- Almost 15, 000 current and past Optus customers' Medicare details have been accessed through a data breach.
- This is what hackers can do with your Medicare details, and how you can protect yourself.
Almost 15, 000 valid Medicare numbers were reportedly accessed through a massive Optus data breach, but Services Australia says this is not enough information for hackers to be able to access victims' Medicare details.
When Optus first reported the breach on 22 September, it did not initially disclose the fact that Medicare numbers were among the sensitive details stolen by the cybercriminals.
On Wednesday, Health Minister Mark Butler said he was concerned by the delay in Optus telling the government about the Medicare data breach.
"All of this data is obviously of potential value to criminals, and that's why consumers are rightly so concerned," he told ABC radio.
"We were not notified, as I'm advised, that - among passport details, driver's licence details and others - Medicare details had also been the subject of this breach, so we're very concerned obviously about the loss of this data and working very hard to deal with the consequences of that, but particularly concerned that we were not notified earlier and consumers were not notified earlier about the breach of Medicare data as well."
So what could somebody actually do with your Medicare number, and should you be concerned?
Here's what we know.
Should you be concerned?
Services Australia is reassuring affected customers their Medicare details cannot be accessed by using just the Medicare card number.
Vanessa Teague is CEO of Thinking Cybersecurity, cryptographer, and associate professor at the Research School of Computer Science at the Australian National University.
She says it is difficult to determine whether or not cybercriminals would be able to access customers' Medicare using other information obtained during the hack.
"The last time I checked, you needed not only the number and the expiry date and so forth on the card, but also the dates of birth of the other family members on that card," she said.
"It doesn't seem impossible that a family of four with two older kids with mobile phones might all have signed themselves up together, and it's possible that for those families, all of that information might be in the leaked Optus data."
"Different people are going to be concerned about different things, and different individuals are going to have different kinds of data that has been exposed ... for some people, the financial risk of identity fraud is going to be the primary concern.
"But for other people, the risk of exposure of personal medical data might be something that they're much more concerned about."
How do I protect my details online?
Those concerned or affected can online through myGov, which will create a new card with the same number apart from the final digit.
In order to access your myGov account or to link it with Medicare, you will need to provide answers to a series of personal questions.
"We’ll send you a new Medicare card, and your old card will no longer be valid," Services Australia General Manager Hank Jongen said.
"This will prevent people from being able to use the old card details for fraud."
There is no cost for replacing your Medicare card.
Services Australia advises customers to ensure their myGov password and PIN can’t be easily guessed and that it is different from those used for other online accounts.
There is also a sign-in option to require an SMS code for sign-in, which makes it harder for people to compromise your account.
If you believe your Medicare or Centrelink account has been compromised, you can call the .
What could somebody do with your Medicare information?
Professor Teague told SBS News there could be several potential uses for stolen Medicare numbers.
"One thing that is a concern is obviously Medicare fraud, maybe somebody who's not eligible for Medicare goes into doctor and needs medical care and charges it to your Medicare card ... that's a risk to government revenue; it's not so much necessarily a risk to the holder of the card," she said.
"The other possibility is like all of the other data, there's a possibility of trying to use it for identity fraud as part of an ID check."
"And then the third possibility is whether it's possible to use your Medicare card to convince Services Australia that you are you and therefore get access to the data in your Medicare account ... I'm not sure whether they can, I think you would need at least some other data."
What about your health records?
In the event that somebody is able to access your account, one of the main things they would be able to access would be your health records.
Professor Teague says while some people might not take issue with this, others would find it very concerning.
"There's actually a lot of other information in your health record; not just sensitive information about your health, but also information about your physical location because it states where you went to the doctor or where you've filled in your medical prescriptions, and in some cases, it might indicate what kind of medications you're on or what kind of illnesses you have," she said.
"And you can understand why that might either have commercial value or potential for manipulating the person in some way."
Have Medicare numbers been compromised before?
In July 2017, data from the dark web marketplace revealed Australians since October 2016.
Greg Hunt and Alan Tudge, who at the time were health minister and human services minister respectively, announced a review into the security of Medicare online.
During the Senate committee hearing, then-human services deputy secretary Caroline Edwards said she believed the information had been accessed and distributed by a person at a medical service, rather than sophisticated hackers.
