The privacy issues in the Health system: Medicare Australia and my.gov.au
Medicare Australia moves to australia.gov.au, and then to my.gov.au...
I am a very rare user of Medicare Australia, and I sincerely hope to to be able to stay this way. Today was one of those rare occasions when I needed to log into medicareaustralia.gov.au website. After going through the long process of entering all the required numbers, names, passwords, addresses and secret answers, I was unpleasantly surprised by a new additional question “Do you have an existing australia.gov.au account?”
If you choose “No”, you will be redirected to australia.gov.au website to register and create an account there. If you choose “Yes”, you will be still redirected to australia.gov.au and told to use your australia.gov.au user ID and password to login to australia.gov.au, and access your Medicare data from there. The redirection is accompanied by statements about improvements: “We are improving our online services. From 3 December 2011, you will be required to register for an australia.gov.au account when you log on to your existing Medicare Online Services.”
It would be easier to believe that pushing everyone to australia.gov.au was an improvement if:
1. If there was some flexibility.
Users should still be allowed to access their account through medicareaustralia.gov.au and choose to postpone registration in australia.gov.au. What if they need to access their Medicare information right now and don’t have time for creating a new account and figuring out how to use a new website?
2. If it wasn’t a process of putting all eggs in one basket and compromising security.
The text that was meant to convince users says “Having an australia.gov.au account means you only have to remember: one user ID, one password, one website to access all your Online Services account”. If some users have difficulties with remembering their passwords, they could use the same password for different services without being forced to a new website, but each service or company have always recommended to use different credentials for security reasons: if one part of the system was compromised, the rest stays protected. Now it seems to be fine to use one password for everything. Are there no more breaches of privacy and security in the world? I doubt it. This merging means that if you lose one password — you lose everything, someone steals one password — they get access to all your private information held by the government online services.
To cover up this fault, australia.gov.au forces the users to change their passwords every 6 months. When an infrequent user logs in, they face the message:“To help keep your information secure, passwords expire after 180 days. Your password has expired and needs changing.” Such forced password change does not increase the security; it actually compromises it. Because, even if the user initially chose a strong password and kept in secret, after a few changes, they will have troubles remembering the ever-changing password and will have to write it down somewhere.
3. If it wasn’t creating a privacy-invading inter-department monster.
It is stated on Medicare and Australian Government websites that “australia.gov.au can be used to access a number of other government agencies - including Centrelink, the Child Support Agency and Medicare Australia”. What if the users don’t need Centrelink or the Child Support Agency? Why must they register for a service, the only purpose of which is to link three things, if they only need one? And then, by merging separate websites and services into a bigger thing, one creates a bigger chance for something to go wrong and a smaller chance for finding who is responsible for the error, let alone the difficulty of fixing the error.
There are already mismatches and discrepancies (see point 4).
4. If it wasn’t a situation when one hand doesn’t know what the other one is doing.
Medicare website says “We are making it easier for you to use Medicare Australia Online Services. The first step requires you to have an australia.gov.au account”, and persistently throws the users who are trying to log in medicareaustralia.gov.au to australia.gov.au and forces them to register there. No choice, no way around.
When the very same users try to register for australia.gov.au, they have to read the Terms and Conditions, which state that “You may choose not to have an australia.gov.au Account”. So, “must” or “may”? Quite a difference! Or does it mean one may choose not to have australia.gov.au account, but the person loses access to the Medicare online? If so, it is like “you may choose not to breath”.
5. If the australia.gov.au account did not expire and was not deleted every 18 months if the user did not use it during that period.
“You may close your australia.gov.au Account online at australia.gov.au. If you do not access your australia.gov.au Account for eighteen (18) months, your australia.gov.au Account will be closed. If your australia.gov.au Account is closed, we will delete the information you provided, including your secret questions and answers. Closure of your australia.gov.au Account will not affect your access to other Participating Agency online accounts.”
It is very nice that the users are given the choice to delete their account and information, but why force them to use the site? Medicare account did not have the expiration condition. So, if you are healthy and don’t need your Medicare every year— too bad.
There is another incorrect promise: “Closure of your australia.gov.au Account will not affect your access to other Participating Agency online accounts”. It basically says that the users can access their Medicare account without having an australia.gov.au account. That is wrong! And that is why you are reading this article. The users cannot access their Medicare account without australia.gov.au.
6. If there was a substantial reason behind it.
After creating an australia.gov.au account, being assigned with an absolutely meaningless user ID that consists of random letters and numbers, being told to remember that ID or the access to this account will be lost forever, and linking Medicare account to australia.gov.au, the users can log in australia.gov.au, go to My Account tab and finally click Medicare Australia link in My Linked Accounts section. And... the users are redirected to the old medicareaustralia.gov.au site, which has the same address, the same look and the same functionality as before.
Question: What does anyone who wants to access their Medicare account need australia.gov.au for?
Answer: For no apparent reason. The obscure reason may that the new user ID is a step towards an Australia-wide identification for mass-surveillance and cross-department information exchange, a part of a plan Australian government devised in gradually implementing without public awareness.
I hope there is a decent reason and I simply [even after a decade of creating and maintaining websites] can’t figure it out. I do hope that it is something more than an attempt to create an illusion of one big e-Australia. E-Australia will happen when each website is quick to load, easy to use and hard to hack; not when many slow and complicated websites are merged into one.
7. If it wasn’t another step towards encroachment on the personal privacy.
Australian Medicare is not just about “delivering affordable health care to Australians” anymore, it became the largest collector and distributor of readily-identifiable personal information in Australia. It collects and holds private, personal and sensitive information about all Australians right from the moment of their birth, whether they wanted it or not. It also provides this information to other government and non-government agencies for various purposes, of which the people are neither notified, nor ever consented to.
For example, for migrant Australians, Medicare constantly passes their personal information to the Settlement Database — a database maintained by the Department of Immigration and Citizenship — and whenever the person updates their address with Medicare, thinking that it’s all about their health, the Department of Immigration and Citizenship is provided with the new address of that person too. Every movement of migrant Australians is monitored, even after they become Australian citizens, their private information is used for researches, politically-induced surveys and statistics, and that means not all Australian citizens are treated in the same way. The Privacy note on the Medicare Enrolment Application form says the following:
The information you provide on this form will be used to determine eligibility for Medicare benefits and to maintain a record of entitled persons for government programs administered by Medicare Australia. Collection of this information is authorised by law and may be disclosed to the Department of Health and Ageing, Centrelink, the Department of Veterans’ Affairs and the Department of Immigration and Citizenship.
It clearly says “the information on this form”, it doesn’t say “from now on we will share your information with other agencies for the rest of your life and tell them about every move you make”, and that is untrue and misleading.
In addition, there is no guarantee that one day all the private and sensitive information entrusted by people to what once was a government agency cannot be sold off. Look at CITEC — an organisation given a power to manage shared services for the whole Australian government, including the major consolidation of Queensland government data centres, an organisation given access to more than 40 government and commercial information sources, including the data in investigative reports, property registers, motor vehicle registers, traffic incident reports, crime incident reports. CITEC is not just making money out of the private information that people had to provide by the government’s demand for free in the first place, but it is also considered that it could be sold off as part of a revenue drive to bring the economy back into the black.
20 December 2011
December 2012 update:
On top of alarmingly frequent cases of privacy breaches by the Medicare employees, given all the above Medicare demonstrated that it cannot be trusted with one bit on personal data. It definitely should end the hypocrisy and stop hiding behind the affordable heath care mantra saying “it’s free ’cause Medicare pays for that”. Medicare doesn’t pay for anything. Australian taxpayers do. Medicare just grabs 2% of each person’s income and redistributes it at its own discretion. Which means that to a person who looks after their own health and rarely uses public services, this “free” health care costs quite dearly. Given that, due to privacy implications, many people do not want to disclose their Medicare card number when seeking medical help and therefore have to pay full costs, they are ripped off twice.
What should have been done instead
If the Health part of Australian Government really wants to make some improvements, it should do the following:
1. Abolish the division of the heath care system by states and incorporate all the most progressive state legislations into a uniformed national heath care system.
The state-governed health care creates big obstacles for recognition of medical workers’ training, contributes to the delays in medical services, worsens the shortage of medical staff, encourages excessive bureaucracy, and constitutes a huge inconvenience for the patients and medical personnel who move interstate.
2. Outlaw the medical practice where the patients have little or no say in every decision about their health; where the patients are not given unbiased, true and comprehensive information about their conditions, risks and options, or not given full, free and unconditional access to all their medical records and diagnostic test results (see the article Your health, your body — your right, your choice).
3. Accept and legislate that every sound-minded person can decide for their body, which, besides any medical screening and treatment, must include abortion and euthanasia.
4. Keep politics and religions away from people’s heath and bodily autonomy.
Things like abortion and euthanasia must not be the decision of politicians or religiously influenced powers. They must be available as an unobstructed choice, and must be the decision of every person and their loved ones. Only the individual should have the power to decide whether there is a place for politics or religion in their own health and body.
The eCircus continues: from australia.gov.au to my.gov.au
1 October 2013 update:
Another e-“improvement” in e-Australian e-government: you no longer can log into australia.gov.au. Instead, you will be greeted with the following message:
“The australia.gov.au account has changed
The Australian Government has replaced the existing australia.gov.au account with a new service called myGov. It's easier to use and will get better over time as new services and features are added.
Needless to say, that any attempts to use the member services (like Centrelink, Medicare or Child Support) directly results in being told to go and create a myGov account.
On the technical side, my.gov.au account username is the same meaningless bunch of letters and numbers like it was in australia.gov.au, but now it is compulsory to tell them your email address (before, supplying any identifying or contact information was optional).
What are they going to introduce next? Making eHealth opt-off instead of opt-in? Anything is possible when it comes to the individual privacy in the hands of the government.
21 May 2014 update:
Australian Tax Office (ATO) confirmed that myGov accounts are now mandatory for lodging tax returns online. MyGov website must have had such bad uptake amongst Australians that they resorted to the brutal force: Want to continue using e-tax? Must create a myGov account!
The ATO myGov Terms and Conditions state that as myGov is managed by the Department of Human Services, all the personal information that previously could have been confidentially trusted to ATO, now will be shared with the Department of Human Services and all other government agencies that the person will eventually be forced to link to myGov account: “The nomination of the Department of Human Services will allow myGov to disclose your name, date of birth and your contact information to other federal government agencies that you have already linked to, or decide to link to. The disclosure of details will allow myGov to confirm your identity between these agencies and provide those agencies with notifications of changes of your details.”
“Decide”, huh? This year, everyone who decides not to be forced into leaving personal information for hackers on the vulnerable myGov website, will have to submit the tax return on paper. E-Government, at its best! Here is great article by Nik Cubrilovic, a security specialist, hacker and user privacy & online rights advocate: Multiple Vulnerabilities in myGov, the Australian Government Single-sign-on Solution for Citizen Services.
In addition, ATO myGov Terms and Conditions and Privacy Notices say that “the ATO also provides taxpayer information to treaty partners overseas under international tax agreements with many other countries.” So much for “we take the security and privacy of your personal and taxation information very seriously”!
Australians don’t want eHealth? Too bad, let’s force it!
19 June 2014 update:
The worst expectations were exceeded. According to the Recommendations Of The PCEHR Review, instead of letting patients take real control of their health care and have full access to their medical records kept by their doctor, excluding the middle man (or middle system), the following has been proposed:
- Rename the Personally Controlled Electronic Health Record (PCEHR) to My Health Record (MyHR).
- Transition to an ‘opt-out’ model for all Australians on their MyHR to be effective from a target date of 1st January 2015.
In response to this review, Dr Fernando from Australian Privacy Foundation (APF) noted:
Renaming the PCEHR to MyHR is simply an exercise in “arranging the deck chairs on the Titanic”. There is nothing “Mine” about it; the record is about me but not mine. There was nothing personally controlled in the PCEHR system, and there will be nothing controlled by patients in the MyHR system.
According to Addendum 2 of the Review report, patient authored records will not ever be “seen” by registered clinicians and patients cannot ever “see” clinical notes.
The APF is dismayed that the community is, in the first instance, being forced to ‘opt out’ of a system that risks the privacy of all personal and health information and from which they can never delete records already been uploaded to the PCEHR/MyHR system by the Crown and its agents.
Australians have already voted with their feet on the national e-health system. Despite the plethora of assisted registration processes in public hospitals and Centrelink offices across the country in 2013, the PCEHR has a history of consistently poor take up.
The myGov web site, through which people will access the PCEHR/MyHR, has already experienced a data breach debacle of mammoth proportions. The site managers have clearly demonstrated the government's inability to secure private information from the most basic threats, let alone from criminals.
There are many unresolved challenges to be addressed before the community is forcibly enrolled in the PCEHR/MyHR system. Yet there are no plans to let consumers/patients know the answers to all their questions, including forcible enrolment so that they know what will happen next, how it will happen and how their privacy will be protected. They are entitled know what future governments may do with their data, including actions as occurred in the UK recently when the National Health Service offered Big Data harvested from the national e-health scheme about patients for sale to drug, insurance companies and others.
In response to the failed PCEHR, the report findings recommend citizens be compelled to opt-out of the rebranded MyHR system, in the hope that the community won’t notice for some time. Clinicians or other health/welfare authorities will be paid to “tout” the system to patients, damaging the trust bond needed to provide useful healthcare. Clinicians will be employed by the government to pass private citizen information on to the federal government. I find this business and marketing practice both patronising and questionable in a democratic country like Australia.
The biggest trouble is that it is not MyHR, it is the GovernmentRecordofMyHealth that is collected for an unclear purpose that may be changed at any time by the government.
There are some naive people who think that PCEHR, eHealth, MyHR — or what’s its name today? — will give them more control over what is done to their bodies by the medical establishment. Well... sadly, it won’t! The government may use the MyHR as an additional means of mass surveillance, but it won’t make anyone healthier. The most important information about the patient’s health will continue to be exchanged between doctors via their own channels, bypassing the patients. The patients will be given some access to their health summary and, perhaps, a few test results to play with and create an illusion of “control”. And everything else will remain the same.
The patients will remain at mercy of individual doctors. If a particular doctor is happy to involve the patients into their own health care, share all the thoughts, notes and findings and fully inform them about all risks and benefits, this doctor will continue treating the patients like intelligent human beings regardless of the existence of MyHR. If, however, a particular doctor lives by the principle “in much wisdom is much grief”, and is convinced that medical details are none of the patient’s business, this doctor will continue tell the patients the bare minimum, and will keep and communicate all the information regarding the patient’s health to other doctors secretly, again, regardless of the existence of some eThing or MyWhatewer.
As a whole, Australian health care system, is a patronising and paternalistic enterprise, and has no intention to change. It disregards countless experiments that proved that full disclosure and absolute truth strengthens patient’s trust and leads to better health outcomes.
Australians are not allowed to decide for their life, nor for their body, nor for their health. Abortion is still the subject of criminal law like in Dark Ages, euthanasia is forbidden, medical records are declared the property of doctors, most medications are prescriptions only, anonymous health care is impossible... We all want to live in a free country and believe that we are free individuals, but how can we, given all that?
In the system where political interests and economical gains are put above individual patient’s well being, no eSolution is going to put an end to that. Evidently, the majority of Australians realised that and avoided PCEHR. But we will be pushed into it anyway, unless we opt-out in time.
According to the AFP’s July 2014 submission to Dept of Health regarding their Review of the PCEHR,
“...During 2013, in order to overcome the embarrassment of extremely low voluntary adoption rates, the Department stooped to fraudulent means of achieve enrolments. The Review conducted during 2013 abjectly failed to reflect the submissions put to it in relation to the scheme’s failure to address the needs of patients, its highly anti-privacy architecture and design, and its focus on the needs of public servants rather than patients and clinicians. The relevant Recommendations would drive the scheme, under whatever name is chosen, yet further away from patient-orientation and privacy-sensitivity. APF emphatically opposes the renege on the commitment to a consent-based scheme and the imposition of opt-out, the further reduction in what little patient control exists ... and the ongoing very low level of engagement with consumer interests.”
The APF notes that another clinical safety audit of the PCEHR has been established, the fourth since its implementation in July 2012. Yet the research design or findings from the audits have not been made available in the public domain. It is crucial that the results of these taxpayer-funded audits be publicly and transparently available so that patients can provide informed consent to uploading their private health information to PCEHR servers.
It’s a bad system and it’s gone wrong! What is going to happen next? Is the government going to remove the patient’s control, or make opt-out impossible, or both? Or let people opt-out, but nevertheless retain all the information and keep collecting new data, just make it invisible to the patient? Or demand that people must register for myGov in order to be able to opt out of MyHR? I would stay away from this MyHR of theirs for as long as possible.
What is lately with the Australian Government? It is so much in love with the “My Computer” shortcut from Windows 95, or someone run out of sense and imagination in naming the electronic and online “improvements” and “initiatives” dished out so hastily in large numbers?
myPost, myPolice, myGov, myTax, myHealth Record...
Is someone really thinking that adding “my” to a badly-made, insecure, privacy-invading, forcibly-imposed system of mass control and surveillance will make people trust it and like it?
If it is really “mine”, why cannot I choose not to be forced to use it? Why is myGov mandatory for lodging tax returns? Why is myHR about to become opt-out?
On 18 December 2015 Australian Bureau of Statistics announced that it will keep people’s names and addresses collected during 2016 Census and link Census data to health records — all without any people’s control or consent.