Medicare Number System: Secured Like It’s 2009

Medicare Number System: Secured Like It’s 2009
To sign up for our daily newsletter covering the latest news, hacks and reviews, head HERE. For a running feed of all our stories, follow us on Twitter HERE. Or you can bookmark the Lifehacker Australia homepage to visit whenever you need a fix.

Over the last eight years a lot of things have changed. And amongst all the new gadgets, technical advancement and rise of cloud-based technologies there has been one major shift – the commercialisation of cybercrime. Which makes the government’s cluelessness about cyber risk even more confounding. Today, we learn that the Health Professionals Online Services (HPOS) system has not been updated since it was implemented eight years ago.

HPOS is used by healthcare professionals to get access to someone’s Medicare number when they don’t have their Medicare card with them. It’s basically an online inquiry system – that is used by over 200,000 people about 41,000 times a day. This is likely what the Medicare machine thief has been using to sell Medicare numbers for about $30 each.

Tracking down who is actually behind the Medicare machine will take some doing. Anyone who has worked in the healthcare business knows that shared user accounts and passwords, and unsecured machines are commonplace.

We could be dealing with a non-health professional who has discovered someone’s workstation is unlocked for all we know.

Ultimately, the government is responsible for securing the personal data of all citizens that is stored in systems they deploy. This recent breach is a sign of the cluelessness that pervades the government when it comes to doing real risk assessments and understanding the sensitivity and value of data they hold.

While the cybersecurity strategy is a great step forward, there is a gap between the goals of this strategy and the implementation of sound risk management today.

The assumptions of 2009, when HPOS was deployed, are no longer relevant to today’s world.

Heck, with Medicare rebates paid to doctors being so low, it would not be surprising to me if some are looking for new and innovative ways to supplement their income!


  • Given the attacker has been doing this periodically and claims that the exploit is something they will always be able to use I think it’s unlikely to be an unlocked terminal.
    It could be an employee of a practice – but not many of your medical receptionists, clinic nurses, allied health and doctors are likely to be setting themselves up as vendors on the darkweb marketplace (can’t rule it out though) .
    I’d find this a much more likely scenario: most medical practices see IT as an extra administrative burden forced on them by government “incentives” ( if you don’t adopt xyz you lose an incentive, or you get paid slower etc.) and they typically don’t have $$ to have dedicated staff onsite managing their IT. So what typically happens is they outsource this to a IT service provider who specializes in Practice Management Software – they will send staff out to set up your servers, desktops, deploy updates to software (drug databases, interactions, medicare schedule, updates to the Practice software, setup a new feature, setup a new clinic room, send someone out when a printer breaks etc.) .
    They’d be going to different practices on an almost daily basis ( or frequently have remote access to the same) so they could just issue the request while they are there/ or via remote access.
    These people will also be managing deploying / configuring PKI keys for interactions with HPOS and the government B2B gateways so they’ll have access at a level where they could potentially clone / copy the keys and any passphrases ( and so may be able to impersonate the practice).
    I suspect that’s what’s happened given the darknet vendor’s claim of having a deep level of access that would be difficult to fix.

      • Cheers, but that media release states:

        The system, which has not been significantly altered since being brought in 8 years ago,…

        This is not quite the same as:

        …system has not been updated since it was implemented eight years ago.

        Indeed the media release actually states above that quote that they introduced new functionality in 2010 (functionality not security improvements per the crux of the article).

        I agree that it should be under regular review/revision per the rest of the article, but that statement is misleading and would be alarming if true (not been updated immediately brings to mind unpatched servers).

Show more comments

Comments are closed.

Log in to comment on this story!