← Government App
D

Express Plus Medicare

Serious concerns
Services Australia · 🇦🇺 Australia
PolicyApp PermissionsNetwork TrafficFirmwareRegulatory
Technical details
App: Express Plus Medicare
Manufacturer: Services Australia

⚠️ The bottom line

Your Medicare number — for $30 on the dark web. A journalist proved it by buying one. The leak came through a government portal that health professionals use. Services Australia denied it, investigated it, and confirmed it. For thirty dollars, anyone could get the number that unlocks your entire medical history. The Medicare app stores your login tokens in plaintext on your phone. Use it on public Wi-Fi at a hospital waiting room and your health claims could be intercepted. The government asks you to go digital, then builds the app like security is optional.

Legal jurisdiction
🇦🇺 Australia (headquarters)
Assistance and Access Act read more →
Govt can force companies to build backdoors in encryption — and gag them from telling you
Metadata Retention read more →
ISPs and telcos must store 2 years of your connection data for law enforcement
Spying
2/4 MODERATE
Is someone spying on me?
Data Sharing
3/4 HIGH
Who gets my data?
Security
3/4 HIGH
Is it actually secure?
Honesty
2/4 MODERATE
Can I trust what they say?
CONFIGURE High-risk areas that can be partially mitigated with settings changes.
4Contradictions
1Critical
2High
1Medium
4Sources
Findings by concern
Spying 2/4 MODERATE 1 finding
⚡ highmarketing vs third party research
The Medicare app stores your login tokens in plaintext on your phone. Use it on public Wi-Fi at a hospital waiting room and your health claims could be intercepted. The government asks you to go digital, then builds the app like security is optional.

What they claim: Express Plus Medicare app promoted as a secure way to manage health claims

What we found: Security researchers found the Express Plus Medicare app transmitted sensitive health claim data with insufficient certificate pinning, making it vulnerable to man-in-the-middle attacks on public Wi-Fi. The app also stored session tokens in plaintext on the device, accessible to other apps with storage permissions on rooted devices.

Data Sharing 3/4 HIGH 2 findings
⚡ highprivacy policy vs regulatory
Your Medicare record is not just your health data. It feeds into 14 different government data-matching programs — cross-referenced with your tax records, Centrelink payments, and veteran status. Several of these programs never had a privacy impact assessment. Your doctor visit becomes a data point in a machine you never consented to.

What they claim: Medicare privacy policy states data is used for health service delivery

What we found: Medicare data is matched with ATO records, Department of Veterans Affairs, Centrelink, and the Australian Immunisation Register through government data-matching programs. The Australian National Audit Office found 14 active data-matching programs using Medicare data as of 2022, several of which had no formal privacy impact assessment.

⚫ mediummarketing vs regulatory
Your immunisation record was a health document. Then overnight it became a passport — required at every pub, restaurant, and workplace in Australia. Nobody asked whether Medicare data should be used as an access control system. It just happened, and if your record had an error, you could not enter your own workplace.

What they claim: Medicare app provides access to immunisation records for personal health management

What we found: During COVID-19, immunisation records accessible through the Medicare app became de facto vaccine passports. Employers, venues, and state governments required proof of vaccination for entry, effectively converting voluntary health records into mandatory compliance documents without legislative basis in many jurisdictions.

Security 3/4 HIGH 1 finding
⚠️ criticalprivacy policy vs third party research
Your Medicare number — for $30 on the dark web. A journalist proved it by buying one. The leak came through a government portal that health professionals use. Services Australia denied it, investigated it, and confirmed it. For thirty dollars, anyone could get the number that unlocks your entire medical history.

What they claim: Medicare data is described as protected health information subject to strict access controls

What we found: In 2017, a journalist demonstrated that any Australian's full Medicare card number could be purchased on the dark web for $30. The data was being extracted through the Health Professional Online Services portal. The Department of Human Services initially denied the breach, then launched an investigation that confirmed it.

Sources