Recent revelations have uncovered a disturbing practice in which unscrupulous aged care providers are allegedly scraping private data from the My Aged Care website, leading to a barrage of unsolicited sales calls. This breach of trust, highlighted in Senate Estimates, raises serious questions about the security of sensitive information in Australia’s aged care sector.
The issue came to public attention last week, when Greens Senator Penny Allman-Payne questioned officials from the Department of Health, Disability and Ageing during a Senate hearing.
She disclosed that older individuals who had registered on the My Aged Care portal were being bombarded by telemarketers spruiking aged care services. The portal serves as the mandatory gateway for older Australians seeking assessments and support, collecting a wide range of personal details to facilitate this process.
According to the My Aged Care website, the information gathered includes basic identifiers such as names, dates of birth, addresses, emails and phone numbers. It also collects demographic details like gender, along with unique identifiers, including Medicare numbers and aged care IDs.
More concerningly, the system may collect sensitive data related to health conditions, disabilities, ethnic background and even sexual orientation. This information is intended to create a personalised record, stored securely on Australian servers in compliance with the Privacy Act.
The site assures users that strong physical and electronic measures are in place to prevent misuse, unauthorised access, modification or disclosure.
Yet, as Senator Allman-Payne pointed out, these assurances appear to have fallen short. Department representative Greg Pugh acknowledged during the hearing that reports of data scraping via software had surfaced previously.
He emphasised that such actions violate the platform’s terms and conditions and that the department neither allows nor condones them. An investigation is underway, but the admission that the issue has been known for months has sparked outrage.
In a subsequent statement, Senator Allman-Payne described the situation as a “shocking admission,” accusing the government of prioritising profits over the protection of vulnerable citizens. “Older Australians are having their information stolen from My Aged Care by unscrupulous providers and being used to target people with sales calls for aged care services,” she said.
She questioned the effectiveness of existing protections and highlighted the added risks older people face from scams and aggressive sales tactics.
A spokesperson for the Department of Health countered that personal details on the My Aged Care portal are accessible only to authorised users, who are subject to strict legal obligations under privacy and aged care legislation to prevent inappropriate use.
Despite this, public reaction has been swift and critical. On social media, users have expressed dismay, drawing parallels to similar issues in other government services such as the National Disability Insurance Scheme.
One commenter lamented the apparent disregard for caring for older Australians, while another called it a blatant money-making scheme.
This latest controversy does not exist in isolation. It follows a troubling history of data privacy concerns surrounding My Aged Care. Just two months earlier, reports emerged of a cyber attack on Salesforce, the backend supplier for the platform’s Government Provider Management System (GPMS).
Hackers from a group known as “Scattered LAPSUS$ Hunters” claimed to have compromised data from numerous clients, potentially including sensitive records from Australian entities.
Although My Aged Care was not explicitly named, the incident amplified calls for greater scrutiny of government contracts with tech giants. The GPMS project itself has been plagued by cost overruns, ballooning from an initial $13.5 million to nearly $150 million, with little tangible benefit to providers or users.
The Salesforce breach involved the alleged theft of around one billion records, with threats to leak the data unless ransoms were paid. While the company downplayed the claims as relating to past incidents, portions of the data reportedly appeared on dark web sites.
This event underscored vulnerabilities in the digital infrastructure supporting aged care, prompting demands for independent investigations and stronger safeguards.
As Australia’s population ages, reliance on platforms like My Aged Care will only grow. With more than a million older Australians potentially affected by such systems, the need for robust data protection is paramount. Experts argue that this incident highlights broader systemic issues, including inadequate oversight of third-party providers and the commodification of personal information in the aged care industry.
For those navigating the system, the advice is clear: remain vigilant against unsolicited contacts and report suspicious activity to the department or the Australian Cyber Security Centre.
Meanwhile, advocates such as Senator Allman-Payne are pushing for reforms to ensure that profits do not come at the expense of privacy. As one affected individual might attest, the promise of secure aged care should not be undermined by the very tools meant to deliver it.
Just when you thought that these marketing people couldn’t go any lower …
My suggestion would be to string them along for a bit, get their full details, and then lodge a complaint with the government, demanding to be told how they actually got the information, and from whom.
Absolutely no surprises here.
Why is it that Government computing projects seem be too expensive, too late and too insecure ?
However the Government always wants more data and says its secure 🤣🤣🤣😳