Transcript: Sky News, Interview with Samantha Maiden and Tom Connell

5 July 2017

The Hon Alan Tudge MP

Minister for Human Services
Topics: 
Medicare data breach
E&OE

SAMANTHA MAIDEN:
The Human Services Minister Alan Tudge is in Melbourne. Good morning, Alan.

ALAN TUDGE:
G'day, Sam.

SAMANTHA MAIDEN:           
Is it correct that you did not know that this breach had occurred at all until the journalist contacted you from The Guardian?

ALAN TUDGE:
That is correct. We were contacted, we were made aware of the allegation, and we immediately undertook an investigation and immediately referred the issue to the AFP.

SAMANTHA MAIDEN:           
Take us through what is actually going on here. You have been very clear that people cannot access personal health records with these numbers, but clearly it is an issue in terms of identity fraud and organised crime.

What have you been able to uncover in the last 24 hours about what information has been leaked and how it got there?

ALAN TUDGE:
That is right, Sam. The key thing here is that some information in relation to the Medicare card number itself has been given to other people, it has been bought off the dark web.

That is what we understand. We understand it has only been a relatively small number of instances where this has occurred – The Guardian itself suggests it was 75.

There is certainly no indication that there is a widespread breach here.

It is important that people understand that it is just the Medicare card number itself which has been breached.

That card number itself does not give anybody access to anybody's health care record – that is the most important point.

Your general point about, yes, but it can still provide opportunities for other types of fraud is correct.

We have had instances in the past where criminals have broken into a doctors’ clinic in order to seize Medicare card records in order to conduct fraudulent activity with it. So it is a very serious issue.

We are treating it very seriously, and as soon as we were made aware of it we immediately undertook an internal investigation and referred it to the AFP for potential criminal investigation.

SAMANTHA MAIDEN:           
I am wondering though, and I think a lot of people would be wondering, how did this information make its way from Medicare onto this website?

Who has access to this information; who would be able to replicate it? Because the story suggested that just about anyone would be able to get on this website, and essentially if you had Alan Tudge's birthday, that you could type in Alan Tudge and essentially get your Medicare number.

How are they getting access to that information?

ALAN TUDGE:
The Australian Federal Police will get to the bottom of this, and I have to be a bit careful in terms of what I say that I do not jeopardise their investigation.

What I can say though is that, the best advice that I have received from the Chief Information Officer of my Department is that there was not a cyber-security breach of our systems.

It was not a hacking of our systems as such which enabled somebody to access those Medicare card numbers, rather than it appears that it was a traditional criminal activity.

I gave an example of a traditional criminal activity just a second ago, where in the past we have had people literally break into doctors' clinics to try to seize Medicare card numbers.

I do not want to say much more than that, Sam, because I do not want to jeopardise the Australian Federal Police investigation, but I would just emphasise that it is highly unlikely that it was a cyber-security attack as such, and much more likely that it was a traditional criminal activity, and we know that it is only a small number of cards which have been placed at risk.

SAMANTHA MAIDEN:
But it is important that voters and citizens of Australia have confidence in the system, have confidence in the way that you are running Medicare and you are using this data.

Do you provide to private contractors everybody's Medicare number in Australia? Is there a private company that has that information that could be hacked or targeted?

Because presumably if criminals can break into one doctor's surgery they are not going to get everybody's Medicare numbers.

ALAN TUDGE:
I am not sure what you mean by that in terms of providing it to a private contractor.

SAMANTHA MAIDEN:           
Well, I don't really understand – and I understand you do not want to jeopardise the investigation – short of hacking the government, who else would have access to this information?

ALAN TUDGE:
Again, I am very careful about what I say here. They have not hacked government systems to the best of our knowledge.

There are obviously other people who have access to Medicare numbers, but I do not want to speculate. I do not want to say anything further that might jeopardise the investigation.

SAMANTHA MAIDEN:           
Then who are they? I mean, how many groups do have- I mean, I would like to know, as someone who has a Medicare number, who are the other groups other than the government that has access?

ALAN TUDGE:
I am just not going to get into this, Sam, and I hope you appreciate I am not trying to avoid the question. I have been briefed myself in terms of what the most likely problem has been.

I have also given a briefing to the Australian Medical Association president, a confidential briefing to him, and it is highly likely that it is a traditional criminal activity which has occurred here, not a cyber-attack as such.

It is a serious issue, it is a very serious issue. It is not serious in that peoples' Health Records are at risk.

And I emphasise that, peoples' Health Records are not at risk because of this, because your card alone does not give you access to your Health Record, but it is nevertheless a serious issue because of some of those things which you identified earlier.

TOM CONNELL:         
You have spoken about this possible traditional criminal activity and a break into a doctor's office, but the reporter was able to get their number. Are you saying coincidentally they broke into the same doctor's office that the reporter goes to?

ALAN TUDGE:
I am just not adding any further commentary on this, Tom. Again, I hope you and your listeners will understand this.

TOM CONNELL:         
But that would mean that would have to be the case, wouldn't it, if that was a possibility?

ALAN TUDGE:
Again, I am not providing any further information on this. I just do not want to jeopardise an investigation which is underway right now. It is a very sensitive matter; we are taking it very, very seriously.

The AFP will conduct its investigation as quickly as possible, and as soon as I am able provide further information I will do so.

TOM CONNELL:         
Okay, just as a systemic look at it though, because the audits office found last week 14 government departments were not up to scratch when it comes to cyber-security. Is that acceptable?

ALAN TUDGE:
I am in charge of my own Department, the Department of Human Services, and we seek guidance, advice from the Australian Signals Directorate, which is the peak cyber-security agency, and generally we have a very good track record.

Obviously we have a lot of important and sensitive information in my Department, it has the Centrelink information, it has much of the Medicare information, so we treat this very seriously.

We have a very sophisticated cyber-security team that looks after our cyber-security. I will let Dan Tehan, the Special Advisor on Cyber-Security, to provide further comments on other departments.

SAMANTHA MAIDEN:           
Does it concern you, Alan Tudge? Do you think you need some sort of deeper look at the issue of privacy and security in your own Department?

We have had these allegations that you have, in the past, released personal information about your clients when they have raised complaints about the Department. We are now hearing that our Medicare number details are floating around on the dark net, presumably from some form of private contractor if you are saying it was not a government leak or a doctor's office.

I mean, haven't we got a fairly serious problem here about your management of…

ALAN TUDGE:
I was careful about what I said, so don't summarise what I said there, Sam. I was careful about what I said, that what I don’t think did occur. I am not sort of saying what we do think did occur.

SAMANTHA MAIDEN:           
Don't you think you have got a problem in the Human Services Department in the way in which you handle and protect privacy?

ALAN TUDGE:
I do not, Sam. You raise two issues here, one being the current matter which we are talking about, and the AFP will get to the bottom of this and we will have more to say once they have done so.

The other one which you raised as an illustration was an example which we have discussed previously on this program.

The Federal Police looked into that matter and they found no reason to investigate it further. There was very select information, as you will recall Sam, about an individual which was provided on the express advice of the Chief Legal Officer of my Department, and as I said, cleared by the Australian Federal Police, and so it has not gone any further.

SAMANTHA MAIDEN:           
Alright. Alan Tudge in Melbourne, thanks a lot for your time today. Thank you.

ALAN TUDGE:
Thanks so much, Sam.