The private information of "virtually every" New Brunswicker is at risk through the outsourcing and automatic renewal of medicare cards, says the province's auditor general.
There have been 157 privacy breaches since 2017, including 31 so far this year, Kim MacPherson's audit found.
The majority relate to mailing addresses not being verified before medicare cards are mailed out, she said.
Two private contracted companies — Medavie Blue Cross and CPI Card Group — possess sensitive personal data on New Brunswickers, including credit card information, noted MacPherson.
"It is very important that Medicare safeguard that information and ensure it is only used for its intended purposes," she wrote in her report, released on Tuesday at the legislature.
"Failure to do so subjects NB residents to the potential of identity theft, and the Province to financial and reputational risks."
More cards than residents
In 2016, there were 10,700 more active medicare cards than New Brunswickers, MacPherson found.
Ineligible use of medicare cards can be costly to taxpayers, she said. Medicare costs more than $650 million per year — nearly a quarter of the province's health-care spending.
Medicare has insufficient procedures to identify ineligible cardholders, such as those who move out of province, or to cancel their cards, she said.
Her report identifies lack of photo identification as a key security weakness.
New Brunswick is the only province with medicare card expiry dates that doesn't require cardholders to apply for renewal, MacPherson's analysis found.
"Most cardholders, once initially approved, may never again be evaluated for eligibility."
The province switched to an automatic renewal process in 2014, saying it would save about $218,000 annually.
Under the system, a few months before a card is set to expire, Medavie automatically mails out a replacement to the last address on file for the individual without confirming the address is correct.
The automatic renewal process has significantly weakened Medicare's control over Medicare cards. - Kim MacPherson, auditor general
Replacement cards continue to be mailed every five years "unless and until" a card is returned as undeliverable.
"The automatic renewal process has significantly weakened Medicare's control over Medicare cards" and increased the risk of a usable card "getting into the wrong person's hands," wrote MacPherson.
In addition, she could not confirm whether the anticipated cost savings associated with automatic renewal were ever achieved. The Department of Health never provided information about how the estimated savings were calculated, she said.
MacPherson recommends Medicare determine if there were costs savings and whether they were "sufficient to offset the additional risks." If not, she recommends abandoning the automatic renewal process.
Whatever system Medicare uses, it should develop procedures to verify mailing addresses before sending out renewal documents, she said.
Medicare should also analyze whether it could save money by investing in additional resources to identify medicare cardholders who have become ineligible.
The Health Department will complete an analysis of potential mechanisms and payback, with a target completion date of June 2020, according to the report.