Data breaches have been a hot topic for a while, Optus and Medibank have been 2 of the largest data breaches in Australian History and there are many more I am sure that have not been reported, not of the same scale necessarily.
Optus and Medibank data breach were based on different methods of access. In the Optus case the data they contained is exposed to other legitimate 3rd parties (like rebranded Optus resellers) that need to exchange information, just like the way your practice information system links to Hicaps/Tyro which then communicates to the health funds where they need to link up what information you are providing to what they have. It is just in this case with Optus it wasn’t protected like other systems are.
More information available here: How Did the Optus Data Breach Happen? | UpGuard
In Medibank’s case it was far worse, they had gained access to their internal systems through the theft of login credentials of someone with high level of systems access. They could have been connected for an unknown period as they had the right access they needed to place their own backdoors into the system. (Note in most cases where we maintain a separate server, the credentials for that server are usually kept with us at Data Vision and very rarely provided to the practice itself or any third party. If access is needed, we provide access to the practice or 3rd party vendor)
More information available: Three Law Firms Team Up to Seek Compensation From Medibank for Data Breach (gizmodo.com.au)
Some of you would have received an email from Medibank regarding Health provider details, including names, provider numbers and addresses being accessed.
Below is a note from the following page: Provider cyber event information | Medibank
As a Provider viewpoint:
Your health provider number: Services Australia has advised the following:
A Medicare provider number uniquely identifies both the provider and the place they work. These are publicly available numbers that are printed on health certificates, and patient referrals and invoices.
Please be assured a provider number is not enough information for a criminal to access Medicare records or claiming systems. These claiming systems include security measures to prevent unauthorised access.
As an additional measure of security, if providers need to update their bank account details, this can be done online through HPOS – Services Australia.
If you’re concerned that your provider number has been exposed, you don’t need to request a new provider number. If you suspect someone may be committing fraud against Medicare, you can report it on the Reporting fraud – Contact us – Services Australia.
As a Patient viewpoint:
What to do if you’ve been affected by the recent Medibank Private and AHM data breach:
Please be assured people can’t access your Medicare details with just your Medicare card number.
If Medibank Private or AHM has advised you that your Medicare card number was exposed and you’re concerned, you can replace your Medicare card.
The easiest way to do this is by using your Medicare online account through myGov. Find out how to replace your Medicare card online.
We’re also putting in place additional security measures to protect your information. The above information is from: What to do if you’ve been affected by the recent Medibank Private and AHM data breach (servicesaustralia.gov.au)
Protecting your personal information after a data breach: Protecting your personal information after a data breach – Managing your money – Services Australia
What I would do personally as an individual/business:
If both my drivers licence details and Medicare details were exposed, I would replace both. Why? Both sets of information usually form identification and can be used for Identification theft purposes.
There is help if you feel identity theft has already occurred: Medibank (idcare.org)
The link above has some great reading and breaks it down into Current Scam Activity, Precautionary measures etc.
Below is more information for Driver’s licence regarding the Optus breach:
My 2 Top tips are:
Number 1: Place multi-factor authentication on emails, bank accounts, external access to your work network basically any internet facing applications. It might take an extra 10 seconds each time, but it will save a lifetime of regret!
Number 2: If the email originated from outside of the organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. Never enter your username or password!
Side note: Fingerprint authentication – not recommended and I will explain why. I was driving my 21-year-old son and one of his friends, during conversation we talk about many things and his friend mentioned he drank too much at a Christmas party for a Law firm he works for (he said possible drugging but who knows). He was walking down Rundle Mall late afterwards and ended up passing out. While passed out someone managed to get into his phone by using his thumb/finger print and could gain access to the phone, messages etc. They did try to access his bank accounts but didn’t manage to get through, they got close. I would say the same goes for facial recognition.
Some further reading:
This resource is from Business SA and is a quick read but contains some very important information: How to avert a cyber attack: The 8 essential areas to focus your efforts | Business SA (business-sa.com)