Aussie Medicare Data Taken Offline After Potential Breach Noticed

Image: iStock

In August this year a dataset containing 30 years worth of Medicare and Pharmaceutical Benefits Scheme information was made available to researchers via The Department of Health's open data portal.

Yesterday the data was removed by the department, following a tip-off from a Melbourne researcher that practitioner details in the data could be decrypted.

ITNews reports Melbourne University's Dr Vanessa Teague discovered it was possible to decrypt some of the service provider ID numbers attached to doctors.

"As a result of the potential to extract some doctor and other service provider ID numbers, the Department of Health immediately removed the dataset from the website to ensure the security and integrity of the data is maintained," The Department of Health confirmed in a statement.

No patient information has been compromised, and no information about the health service providers has been publicly identified or released, according to The Department of Health.

A full, independent audit of the process of compiling, reviewing and publishing the data on will be happening. The Department of Health says the dataset will be made available again, but only when the current issue is resolved.

The Department of Health notified the Australian Privacy Commissioner Timothy Pilgrim of the "potential vulnerability", and an investigation has been opened.

"The primary purpose of the investigation is to assess whether any personal information has been compromised or is at risk of compromise," Pilgrim states, "and to assess the adequacy of the Department of Health's processes for de-identifying information for publication."

The results of the investigation will be published "at its conclusion". We will keep you updated.



    It wasn't long ago that they were talking about a medical card that allowed practitioners to access our records via the net and we were told that the information would be very secure. Then you read this shite! No way in hell should this have even been considered.

    Last edited 29/09/16 2:25 pm

    I'm sure that the Medicare data is just as secure as the census data.

    Dr Teague categorised the encryption as "not best practice" and stated her team were able to reverse engineer it within a matter days. Considering the data set contains historical data up to 30 years old, you have to wonder whether the audit is going to flag something along the lines of periodic updating and de-identifying of data sets commonly used in research.

    Also, I bet there are quite a number of distressed researchers following AG Brandis' announcement to table an amendment to the Privacy Act that will criminalise re-identifying de-identified government data, including if one were to "counsel, procure, facilitate, or encourage anyone to do this, and to publish or communicate any re-identified dataset."

    ALWAYS SALT and ALWAYS encrypt the hell out of that shit with AES256 or one-way with SHA-2 256 or preferably 512 bits.

    Last edited 29/09/16 2:13 pm

    Hang on so no data was recorded as being taken, the vulnerability was told to them. Yeah it's being called a breach? Potential for a breach perhaps or you know a vulnerability discovered.

    The original dataset can never be withdrawn. It's a privacy breach. Too late. The only person to trust with your information is yourself. And a lot of people struggle with that

Join the discussion!