Transcript: Radio National, Interview with Fran Kelly

5 July 2017

The Hon Alan Tudge MP

Minister for Human Services
Topics: 
Medicare data breach
E&OE

FRAN KELLY:
Alan Tudge, is the Minister for Human Services. Minister, welcome back to Breakfast.

ALAN TUDGE:
G'day, Fran.

FRAN KELLY:  
Can you confirm the report in The Guardian yesterday that Australians' Medicare details are for sale still on the internet in what is known as the dark net?

ALAN TUDGE:
That is the claim made in The Guardian and we are taking that claim very seriously, Fran.

FRAN KELLY:  
I am asking you now. You have had 24 hours. Can you confirm that that is true?

ALAN TUDGE:
My understanding is that it is true and we are taking these issues very seriously.

I have launched an internal investigation as well as referred the matter to the Australian Federal Police. I should point out though that what is being bought and sold on the internet to my understanding is the Medicare card number only.

You referred to, in your introduction to your program, that these were Medicare records. That is not the case. It is the card number only, and that card number alone cannot access anybody's Health Records.

This is a very important point, and anybody who suggests otherwise is being deliberately scaremongering in my view and is being irresponsible. And I have noted that Tanya Plibersek, who you just had on your program, or played a clip of, has been doing just that.

FRAN KELLY:  
What I actually said was that The Guardian report says that people's Medicare card details have been sold, which is what I understand – the card number, the card details have been sold.

ALAN TUDGE:
Yes, it is not the Medicare records though.

FRAN KELLY:  
No, no, no, I did not say that.

ALAN TUDGE:
It is not the Medicare records. It is the Medicare card number itself which is being allegedly sold.

FRAN KELLY:  
Alright, I want to come back to some other points, but let's go to this first since you have raised it. So you say that means people's records cannot be accessed.

So if you have a Medicare number, if you have a name and a date of birth and a gender, what else is needed to access your Health Records online, for someone to access it?

ALAN TUDGE:
You need a number of other pieces of information if you are trying to access somebody's My Health Record.

FRAN KELLY:  
Like privacy passwords or something?

ALAN TUDGE:
You need privacy passwords if you are trying to access it through your myGov account – you know, your email, your password, et cetera.

If you are setting up a My Health Record then you might need to provide, say, your bank account details which are linked to Medicare.

You might need to provide information about your last doctor visit when a Medicare benefit was claimed, including the date of service and the surname of the doctor.

There are a number of different types of information which you can provide in order to prove your identity. You cannot just do it with a name and address and a Medicare card number, and that is the most important message I want to get through.

FRAN KELLY:  
That is a key message.

ALAN TUDGE:
That is a very important message. The allegation is that several dozen card numbers have been sold. The card numbers alone did not allow anybody to access anybody's Health Record.

FRAN KELLY:  
Okay. We will come back to what they might allow people to do in a moment. But just want to get some of the basic details because, as you say, the Government has the Federal Police working on this and your Department presumably has been investigating it since The Guardian alerted them to it.

The Guardian says 75 cards have been sold through this site on the dark net. Is that the number that the Government has confirmed?

ALAN TUDGE:
I cannot confirm that number. That is what is alleged by, I think, the website itself, which is reported in The Guardian, but we believe that it is a small number in the dozens.

There is no indication that there is any widespread breach. And I should point out as well that the advice that I have received from my Chief Information Officer of my Department is that this is not a cyber-security attack as such, but is more a traditional criminal activity that has occurred.

FRAN KELLY:  
What does that mean?

ALAN TUDGE:
This means that someone has not hacked into a database but it is – and I cannot say too much while there is a Federal Police investigation into it – but it means just that: a traditional criminal activity.

We have had such traditional criminal activities in the past, for example, where someone has literally broken into a doctor's clinic to seize Medicare card numbers which they will then try and use for fraudulent purposes.

FRAN KELLY:  
Alright, but let's suppose that is it outside of someone's broken in or someone who has legitimate access to the system has stolen it.

Presumably that would send up a red flag wouldn't it, or there would be an audit? Is there a system audit to check who has accessed the entire system or who has downloaded the system?

ALAN TUDGE:
No one has downloaded the system as such, and that is the other important point. This is not, to the best of our knowledge and on the best advice that I have got at this stage, an attack on the system where someone hacked into the system to download…

FRAN KELLY:  
No, I am not talking about hacking in, but downloading it. The person selling these is claiming that it is a vulnerability breach in the Department system and that they have access to every Australians' Medicare number, which suggests they have access to the entire database.

ALAN TUDGE:
I cannot say too much, Fran, purely because of the Australian Federal Police investigation which is going on, and I don't want to jeopardise that investigation.

I will say that the policies upon which people can access Medicare data numbers today probably legitimately are the same policies which have been in place for many years.

We are doing an internal investigation while we review some of those policies, but I do not want to compromise any federal police investigation by revealing too much on your program.

FRAN KELLY:  
Can we just quickly deal with those three questions that we heard Tanya Plibersek put there - How many records have been breached; when did the Government know; and have you contacted those who have had their Medicare details breached? Have you contacted the people whose numbers have been breached?

ALAN TUDGE:
The people that we know have had a Medicare card number breached we have contacted, and that is standard practice.

FRAN KELLY:  
So how many have you contacted?

ALAN TUDGE:
I do not know the answer to that question. It will be a very small number. The allegation is that it is a small number which have been breached and there is no indication that this is widespread.

The question of when did I know about it, we first found out about it yesterday because of The Guardian newspaper article. Immediately upon hearing of this claim, as we always do when there is a claim of criminal activity or fraud, the AFP is alerted and we undertake an internal investigation.

FRAN KELLY:  
So Minister, is that alarming? A sense that our government is only alerted to this activity, which has been going on apparently, according to The Guardian, since October last year, by a news outlet, by a journalist?

Do we have, in our government departments, in our security operations, people accessing the dark net searching for this information? And have you ascertained whether any other sites are selling information like this?

ALAN TUDGE:
We have got very sophisticated cyber-security operations in place. We get our advice and our assurance from the Australian Signals Directorate, which is Australia's top cyber-security agency…

FRAN KELLY:  
Someone missed this one, right?

ALAN TUDGE:
[Continues]…our top cyber-security agency. These claims were brought to our attention yesterday, they were just that at that stage, and as soon as those claims were brought to our attention, as any claim of fraud which is brought to our attention, they are immediately investigated and that is exactly what is occurring presently.

FRAN KELLY:  
Is it good enough though that someone could be offering Australian Medicare numbers under the logo of the Department of Health's logo since October last year and no one in our intelligence agencies or our cyber-security operations have picked that up? Is that satisfactory?

ALAN TUDGE:
It is very serious when someone is trying to unlawfully acquire Medicare card numbers. Even though the Medicare card number alone does not get you very far, it is still nevertheless a very serious issue which we are taking seriously, and hence we are undertaking this investigation immediately and have referred it to the Federal Police.

We will always do that, but I would just re-emphasise this point because I want to reassure Australians, is that no one's Health Record is in jeopardy because of this, because just the card alone – as people probably know – just the number alone does not give you access to anybody's Health Record.

FRAN KELLY:  
Minister, as you have said, you have confirmed that some people have been contacted. That suggests you have worked out who is doing this?

ALAN TUDGE:
Whenever we know that anybody's card has been compromised, my Department will contact them and alert them to it.

FRAN KELLY:  
Yes, but to work that out you must know how this breach occurred, yeah?

ALAN TUDGE:
I cannot say too much because of the AFP investigation, and I am sure you will appreciate that.

I do not want to jeopardise that. I have had the advice that it is not, to the best of our knowledge, a cyber-incident as such but more a traditional criminal activity, but I cannot say too much more about it. I have my strong suspicions, but we are leaving it obviously up to the police to do a proper investigation.

FRAN KELLY:  
Just finally, you want to reassure everyone that peoples' Health Records cannot be breached by access to these numbers alone, but a lot of other things could happen.

The Medicare card is worth 25 points in the identifier test; it could be used by someone to help them rent a property, buy a mobile phone – all the sorts of activities that suspected terrorists could engage in, not to mention Medicare fraud. What is your biggest concern about this breach?

ALAN TUDGE:
It is a concern generally that someone is able to acquire those Medicare numbers and is selling them. That is a concern.

What a criminal will use that data form I do not know. Obviously a Medicare card can be used for an identity check, but it alone is never a sufficient identifier; you always need additional information, but it can be an important one.

FRAN KELLY:  
I mean, we have had a lot of people text in while this interview has been going on, saying they care about Medicare fraud, that this leaves it wide open.

ALAN TUDGE:
That is actually a concern as well, is this- obviously every Australian, every Australian permanent resident can get access to a Medicare card in order to get free GP and hospital services.

There have been incidences of fraud in the past, where someone's acquired a Medicare number and fraudulently got medical treatment using that Medicare number.

Again, we have compliance activities to try to fix that up, where we know that that is occurring. Compliance activity is to try to pick that up in order to identify where that is occurring, of course, and that is one of our concerns with this.

Again I stress that the numbers we believe are very small, it is not widespread, and most importantly nobody's Health Records are in jeopardy as a result of this.

FRAN KELLY:  
Just one more on this. We have had a lot of calls, texts, and tweets on this, Minister, while we have been speaking. We are speaking with the Human Services Minister Alan Tudge.

But someone has written in, saying: I am a GP; I have a patient whose mother's Medicare number was stolen by a carer at her nursing home, several others stolen; these numbers were then used to help facilitate doctor shopping for narcotic analgesia; police not interested; Medicare cards need more identifiers.

What about that as an idea? Are you considering it? Some have suggested we could have a pin linked to our Medicare card, or we could consider changing the scope of the use of the Medicare card. Is the Government thinking about this?

ALAN TUDGE:
All of those things can be looked into. One of the issues, of course, is that sometimes people will arrive at a surgery or arrive at a hospital, not have their Medicare card number on them but nevertheless need urgent treatment, and we also need to be able to accommodate that as well.

Or if people forget their pin and they arrive at a Medicare clinic without their pin or they forget it. So there are some complications in relation to that which need to be carefully thought through.

We are undertaking an investigation; there will be a review, as well as the police are looking into this and potentially looking into it from a criminal perspective. But again, I just reassure your listeners, reassure Australians that nobody's Health Records are compromised as a result of this.

It is just the Medicare number alone. It is a small number, we believe. There are no widespread breach, no widespread access that we are aware of, and it has not been a cyber-security incident that we are aware of.

FRAN KELLY:  
Alright, Minister. Thank you very much. We appreciate you coming on and speaking with us.

ALAN TUDGE:
Thanks so much, Fran.

FRAN KELLY:  
Alan Tudge is the Minister for Human Services.