The Joint Committee on Law Enforcement report on Vaccine related fraud and security states
COVID-19 vaccines have emerged as the primary tool being used to combat the health impacts to individuals by variants of coronavirus. The integrity of the COVID-19 vaccination program is therefore vital to ensure the success of public health initiatives to reduce the mortality and morbidity caused by coronavirus.
...
There are a number of different elements to ‘vaccine related fraud and security’. For the purposes of this report:
- Vaccine related fraud refers to organised crime groups undertaking fraud using peoples’ uncertainty or desire for vaccines as the ‘bait’.
- Vaccine security refers to the integrity of the individual vaccine dose being injected in a person.
- Vaccination related fraud (as distinct from ‘vaccine related fraud’) refers to groups or individuals seeking to subvert the Australian Government’s COVID-19 vaccination program or state and territory governments’ vaccination related public health restrictions.
Vaccine related fraud
Vaccine related fraud was examined in detail in the committee’s interim report of this inquiry. As explained in the interim report, concerns held early on in the pandemic were that:
…a significant proportion of COVID-19 related crime will be where criminals use vaccine-themed telephone and online phishing scams to obtain personal identification information to exploit for future fraud, with cyber criminals ‘preying on citizens’ anxieties and uncertainties, along with less secure [working from home] conditions to take advantage of the COVID‑19 vaccine rollout through online scams’.
As outlined in the interim report:
…the actual levels of pandemic-related fraud experienced by Australians has to date been less than expected. This has been particularly true in relation to vaccines, largely due to the no-cost public health nature of Australia’s COVID-19 vaccination program.
Since the release of the interim report, no evidence has been provided to the committee to cause it to revise that finding. This final report will therefore not re-canvass issues of vaccine related fraud, and the committee instead refers interested readers to the interim report which covered this topic extensively.
Vaccine security
As outlined above, vaccine security refers to the physical security of the supply chain and the integrity of the vaccine dose to be injected in an individual—is it legitimate or is it counterfeit, black market or otherwise tampered with?
Early in the pandemic there were concerns that ‘Australia may prove to be particularly vulnerable to illegal COVID-19 black markets, with one of the world’s highest concentrations of darknet drug vendors per capita’.
The interim report for this inquiry provided extensive detail on the steps being taken by various government law enforcement and health agencies to ensure the integrity of vaccines to be administered to individuals, underpinned by the measures put in place by pharmaceutical companies and health professionals themselves, such as pharmacists, nurses and medical practitioners.
As with vaccine related fraud discussed above, the interim report found there was little manifestation of vaccine security concerns and reported that ‘the widespread distribution of no cost COVID-19 vaccines mitigates the organised crime threat in Australia, with the most likely remaining threats limited to scam attempts and small-scale black-market activity’.
Since the publication of that interim report in August 2021, the committee has continued to keep a watching brief on the security of vaccines and is confident that the situation remains the same, with no physical security or vaccine integrity concerns being actualised. This final report will therefore not re-canvass vaccine security issues and, as with vaccine related fraud, the committee refers interested readers to its interim report.
However, it is important to note the continued work of the Australian Government to protect Australian essential services by strengthening the security and resilience of critical infrastructure. Amendments to the Security of Critical Infrastructure Act 2018 (the SOCI Act), enacted on 22 November 2021, introduced mandatory cyber incident reporting (Part 2B of the SOCI Act) and provided government assistance in response to significant cyber attacks that impact Australia’s critical infrastructure assets. Further changes have been proposed under the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, introduced into the House of Representatives on 10 February 2022, which would enact:
[C]ritical infrastructure risk management programs for critical infrastructure assets (proposed Part 2A of the SOCI Act); and enhanced cyber security obligations for those assets most important to the nation, described as systems of national significance (proposed Parts 2C and 6A of the SOCI Act).
These amendments are intended to help address threats to Australia’s critical infrastructure during events such as the COVID-19 pandemic, but also broader threats ‘ranging from natural hazards (including weather events) to human induced threats (including interference, cyber attacks, espionage, chemical or oil spills, and trusted insiders).
Vaccination related fraud
Increased population-wide uptake of COVID-19 vaccinations can allow governments to reduce reliance on other disease suppression methods, such as lockdowns, travel and site attendance restrictions and face masks. As such, the Australian and state or territory governments implemented a range of measures designed to encourage greater uptake of COVID-19 vaccinations which, apart from the reduced health risks to the vaccinated individual, largely centred on vaccinated people having fewer public health related movement or activity restrictions. It is important to note that these public health restrictions, with the exception of entry to Australia, are the responsibility of state and territory governments and are enacted and enforced via the laws and policies of those jurisdictions.
To ensure compliance with various proof-of-vaccination requirements, governments have required a reliable system for individuals to prove their vaccination status. To support this, the Australian Government expanded the existing Australian Immunisation Register (AIR) system—the national database that tracks the immunisation records of Australians—to include COVID-19 vaccinations. As with other vaccinations, individuals book a COVID-19 vaccination with a registered health professional who then logs the vaccination onto the AIR system. Individuals can download a certificate showing their vaccination status onto personal digital devices or in printed form, which can then be shown when COVID-19 vaccination proof is required. The digital certificate was designed to be integrated with state and territory check-in apps, so that those jurisdictions are able to control how they work in conjunction with QR codes and locally set health restrictions.
There are some Australians who are opposed to COVID-19 vaccinations and/or vaccination mandates. It is important to note that there are people who do not wish to be vaccinated but are nonetheless compliant with other COVID‑19 related public health restrictions, such as mask wearing, contact tracing, and movement or workplace restrictions.
However, within the cohort of people who do not want to be vaccinated against COVID-19 evidence and reports suggest that many also wish to avoid other public health restrictions. Some of these people are engaging in various forms of fraud, not to avoid vaccination—which is not itself mandatory—but to avoid other public health restrictions. These fraud activities can be broken down into three broad categories:
- Vaccination status (certificate) fraud, where a person uses a forged certificate to fraudulently claim to be vaccinated.
- Vaccination exemption fraud, where a person or medical practitioner fraudulently claims an exemption from vaccination.
- Vaccination administering fraud, where a medical professional fraudulently registers administering a vaccination to an individual, or where an individual takes a vaccination under another person’s name.
These three key types of vaccination fraud are discussed in detail below.
It is important to note that, at time of writing, many of the public health restrictions that some unvaccinated people have sought to avoid have recently been relaxed or lifted—with further easing expected in the near future. There are exceptions to this general trend, including, for example, in Western Australia, where additional movement and work restrictions have recently been introduced for unvaccinated people. However, to the extent that restrictions on unvaccinated people are reduced or removed, this will likely correspond to a decrease in the incidence of fraudulent activity such as that described below.
Vaccination certificate fraud
The Australian Government has responsibility for vaccination programs under its public health role, including maintaining a register of vaccinations. As outlined above, proof of COVID-19 vaccination status uses the existing AIR system, which was expanded by the Australian Government to include COVID-19 vaccinations.
With the exception of vaccination mandates for workers within aged care facilities, the Australian Government does not impose any restrictions on people in Australia based on their COVID-19 vaccination status. Any such restrictions are instead the responsibility of state and territory governments, which rely on Australian Government vaccination registers to monitor and ensure compliance with local laws.
The Department of Health has responsibility for establishing what constitutes proof of vaccinations status, and Services Australia has responsibility for maintaining the AIR system. Services Australia informed the committee that:
Since the inception of the AIR Act [Australian Immunisation Register Act 2015], vaccination provider compliance has always been high.
Services Australia submitted that the approach taken to designing the system for registering COVID-19 vaccinations was to manage a ‘balance of providing consistent security features, appearance and format for vaccination certificates across all channels, while also considering customer experience and accessibility’.
Services Australia outlined the existing measures taken to protect the integrity and accuracy of immunisation records:
Contemporary cybersecurity measures are in place across the Agency’s AIR system to protect data and people’s personal information. The Agency continues to invest in a cyber-skilled workforce, modern cyber technologies, advanced threat intelligence systems, next generation firewalls and industry best practice. As technology changes and new challenges emerge, the Agency routinely subjects its online systems to independent security testing, to ensure systems are kept secure and up to date to mitigate threats.
Proof of COVID-19 vaccination status is available via a digital certificate accessible via myGov through Medicare and the Medicare Express Plus app or via a person’s My Health Record. The certificate can be stored on a mobile device or printed. Services Australia outlined to the committee prior to the rollout that it was ‘working closely with the Australian Signals Directorate and the Australian Cyber Security Centre on managing vulnerabilities with the mobile applications used to generate and display digital certificates’. Services Australia further informed the committee that digital certificates contain security measures such as a ‘shimmering Coat of Arms that shifts position when tilting or moving the mobile device (a parallax effect) … an animated tick, as well as a live clock showing the current date and times’.
Services Australia also informed the committee that AIR data is protected by restricting access to the system to officers of the agency and approved vaccination providers and their delegates with formal registration. Further, users can only download their own information via the ‘Provider Digital Access system to ensure secure access to government online services, including the AIR, via a username, password and verification code log on’.
Paper-based certificates
Users can also print their certificate, have one mailed to them or collect one from a Services Australia service location. Printed certificates contain ‘a Commonwealth Coat of Arms watermark, and every digital certificate displays a unique “document number” which can be used to verify the authenticity of certificates in the future’. Services Australia noted these security measures are consistent with other government documents, such as birth and citizenship certificates.
Concerns have been raised regarding the risks posed by paper-based vaccination certificates, given the ability to more easily forge them combined with the fact that, generally, those certificates are being used in informal settings such as shops, hairdressers, restaurants and cinemas. Services Australia informed the Senate Select Committee on COVID-19 that help lines were established to assist businesses and individuals with any concerns regarding potentially fraudulent behaviour.
According to the U4 Anti-corruption Resource Centre (U4), as paper‑based certificates are susceptible to alterations and falsification, digital‑based vaccination certificates can counter these limitations, allowing countries to reopen more safely. However, the centre also noted that while ‘QR codes with digital signatures make it far more difficult to falsify vaccine certificates, they are not entirely foolproof’.
Certificate fraud: perceived risks
The Royal Australian College of General Practitioners (RACGP) perceived the risk posed by fake vaccine certificates in Australia as relatively small and submitted there is ‘unlikely to be significant financial benefit in producing fake certificates, unless done on a large scale by criminals selling these to people who do not wish to be vaccinated.’
Aged & Community Services Australia (ACSA) raised concerns that ‘there may be adverse implications for the aged care sector from the use of fake vaccine certificates’ because the ‘employment of potentially unvaccinated aged care workers … would create increased vulnerability for older persons who are consumers of aged care as well as creating risk for providers not meeting Public Health Orders requiring workers to be vaccinated’.
To reduce this risk, ACSA recommended threefold that the Australian Government ‘introduce penalties for use of fraudulent certificates as a deterrence’, ‘ensure that robust technology is in place … enabling aged care workers to readily access clear evidence of their vaccinations’ and finally to publish information to ‘assist providers in recognising fake certificates and processes implemented to allow providers to report concerns’. However, it is notable that ACSA did not point to any actual cases of certificate fraud, only that should such fraud occur, it could have adverse impacts.
Likewise, the Pharmacy Guild also recommended ‘there should be standardised reporting procedures as well as legislated penalties for individuals engaging in this type of behaviour, both for the citizen and the healthcare professional.’ Penalties, akin to those that apply to quarantine breachers and those who ignore mandatory vaccination orders, should also apply to those seeking to bribe a vaccinator to falsify records or to manipulate records, either digitally or by having someone else get vaccinated in their place.
The committee notes the Australian Government has already introduced penalties in relation to such offences. Services Australia submitted that ‘with the emerging adult vaccine requirements there may be potential risk around forging of vaccination records’ and to address this risk there are ‘harsh penalties in place’. Penalties for a vaccination provider not complying with or contravening obligations under the AIR Act is ‘a civil penalty of 30 penalty units’, currently $222 for offences committed on or after 1 July 2020. Additional penalties exist for both vaccination providers and the general public for ‘an offence committed relating to protected information, which can be a penalty of imprisonment for 2 years or 120 penalty points, or both’. Additionally, Services Australia publishes information to assist businesses and individuals in recognising legitimate or fraudulent vaccination certificates.
States and territories are also able to impose their own penalties for fraud in relation to vaccination status. For example, in October 2021 the NSW Government introduced laws that a person must not ‘provide, display or produce to another person information or evidence, including vaccination evidence, purporting to show the person is a fully vaccinated person, unless the information or evidence is true and accurate’. The maximum penalty for such an offence is 100 penalty units—$11 000 and/or six months imprisonment—with a further possible penalty of $5500 for each day the offence continues.
The Pharmacy Guild also recommended that ‘any national digital solution for proving a person’s vaccination status, for travelling or entering venues for example, should primarily rely on AIR data as the single source of truth to mitigate fraud relating to vaccination status.
As outlined earlier in this section, AIR data is being used as the system for proving COVID-19 vaccination status. As such, all recommendations provided to this inquiry as to ensuring the robustness of COVID-19 vaccination status proof, have been enacted.
Certificate fraud: experienced
While there have been some media reports of the use of fraudulent vaccination certificates, such fraud does not appear to be widespread and, in cases to date, appears to have been conducted in an inexpert manner that is quickly identified. These instances include individuals engaging in forgery as well as websites that allow users to input data to generate a fake certificate or check-in proof. A cyber security expert noted that these fake certificates have limited application as they cannot be used to enter locations using integrated check-in apps, and further relied on busy situations ‘where the differences between real and fraudulent certificates wouldn’t be noticed’.
As noted above, there is a reduced risk of vaccination certificate fraud moving forward, at least to the extent that many of the movement and site attendance restrictions have been lifted, or are expected to be in the near future. Remaining restrictions are largely around travelling between states and work-place vaccination mandates, both of which entail assessing proof of vaccination status in formal settings where the likelihood of successfully using a forged certificate is significantly lower.
International certificate fraud
There have been globally coordinated efforts in developing an International COVID-19 Vaccination Certificate that works in conjunction with existing ePassport technology already working across the globe. This certificate allows easy outbound and inbound international travel to and from countries that recognise the existing International Civil Aviation Organisation standards, using Visible Digital Seal technology.
There is also some vulnerability to Australia from vaccination certificate fraud undertaken overseas, and then used to enter Australia. U4 listed a number of instances of COVID-19 certification fraud related to international travel, however it is important to note that these instances occurred in areas with significantly high rates of other types of fraud, including Russia, Central America, Zimbabwe, South Africa
U4 noted that:
Fraud cases are on the rise as security concerns around the Certificate mount. The main perpetrators include organised crime networks, corrupt healthcare workers, and anti-vaxxers.
In Italy, several online fraud schemes peddling fake vaccine certificates, with fake QR codes and vaccine batch numbers, were closed down. In France, real certificates, with real QR codes were being sold, allegedly obtained from health workers with official access to the health databases. In Greece, a doctor who was himself an anti-vaxxer and ‘Covid denier’ was caught red-handed, giving fake inoculations to obtain certificates for his Covid-sceptic friends. We are seeing how security flaws in the European Certificate make it easy for those with the know-how and the right connections to forge and obtain fake certificates.
Despite these instances of fraud overseas, no evidence was provided to the committee to suggest the current occurrence of forgery of international vaccination certificates had been used for entry into Australia.
Vaccine exemption fraud
Vaccine exemption fraud is where a person fraudulently claims to have a medical condition that warrants exemption, or where a medical practitioner (doctor) grants an exemption in breach of the guidelines established by the Australian Technical Advisory Group on Immunisation (ATAGI).
There are existing systems to ensure the integrity of exemptions to vaccinations, which have been expanded to include reviewing COVID-19 vaccination exemptions. The primary integrity mechanism is that vaccination exemptions can only be granted by registered medical practitioners.
Medical practitioner fraud
Medical practitioners are regulated by the Australian Health Practitioner Regulation Agency (AHPRA), which has published information on laws and policies that medical practitioners must follow in relation to COVID-19 vaccinations, as have many other medical practitioner organisations. This includes guidance for those who may have a conscientious objection to COVID-19 vaccinations that they must not ‘discourage their patient or client from seeking vaccination’ and must ‘ensure appropriate referral options are provided for vaccination’. Thus medical practitioners are able to personally object to COVID-19 vaccinations while remaining compliant with relevant public health laws and policies.
Any vaccination exemptions must be reported by the practitioner to the Department of Health, which monitors the numbers and types of exemptions granted. Suspected breaches of law or policy regarding COVID‑19 vaccination exemptions are referred for investigation to AHPRA, with sanctions for breaches including a caution, education, limits to perform certain procedures or in extreme circumstances, a temporary or permanent ban from practice.
The RACGP submitted that there have been a few reported cases of medical practitioners who fraudulently granted an ineligible person an exemption to taking a COVID-19 vaccine. The RACGP noted it would be ‘exceptionally rare for someone to not be able to receive any COVID-19 vaccine’ because ‘those who have a contraindication to one vaccine have other vaccine options available to them’.
here are limited grounds for an exemption, such as a major medical condition or past anaphylaxis to an ingredient of the vaccine. Anti-vaccination groups published details of certain medical practitioners who were willing to provide such exemptions. Some of these medical practitioners ultimately were the victims of their own success, when the large numbers of people attending their practices tipped off authorities, with investigations resulting in their suspension from practising medicine.
Patient fraud
There have been media reports of medical practitioners being pressured by patients to provide exemptions for COVID-19 vaccinations. Early on in the vaccination rollout, anti-vaccination groups published information that anxiety about vaccination could be considered a ‘major medical condition’ and advised people to seek exemption on these grounds. The President of the RACGP, Dr Karen Price, reported that some patients become ‘aggressive and abusive, demanding an exemption when not fitting the clear criteria’.
As outlined above, health organisations provide a wealth of supporting information for medical practitioners and nurses on COVID-19 vaccinations, including tips on holding difficult conversations with vaccine-hesitant people. It must be noted that medical practitioners receive a great deal of training and support as the role often includes navigating difficult consultations, such as when patients exhibit drug-seeking behaviours. COVID‑19 vaccination hesitancy, or outright refusal, is just one of the many difficult medical situations that medical professionals navigate in their profession. Dr Price also reported that in many instances, doctors were able to talk to patients about their concerns, resulting in that person agreeing to be vaccinated.
Vaccine administering fraud
Vaccine administering fraud refers to a health professional lying about having administered a vaccination so the patient can fraudulently claim to have been vaccinated. As such, it requires a level of conspiracy between two or more people—one of whom is a registered doctor, nurse or pharmacist—and is therefore rare.
Vaccine administering fraud can also be where an individual takes a vaccination under another person’s name. The Pharmacy Guild of Australia (Pharmacy Guild) outlined vaccination processes that reduced risk of this type of fraud:
Community pharmacy actively contributes to reducing the risk of vaccination certificate fraud with the implementation of strict processes and procedures for COVID-19 vaccine administration. These include processes and procedures for confirming the identity of individuals presenting for vaccination, as well as assessing an individuals’ eligibility for vaccination by checking the Australian Immunisation Register before administration of a vaccine.43
The Pharmacy Guild submitted that following these processes had ‘enabled pharmacists to identify instances of potential vaccination fraud and address the situation by denying administration of a COVID-19 vaccine to the individual involved.’
The Pharmacy Guild noted further protective factors against fraud being that ‘pharmacists are adept at reporting prescription fraud and having difficult conversations with individuals potentially partaking in fraudulent behaviour’.
Administering fraud experienced
There have been a few media reports of medical staff who have been involved in a conspiracy to commit fraud by declaring a person as having been vaccinated for COVID-19 when in fact that no vaccine was administered.
A nurse in Western Australia was accused of pretending to vaccinate a 15-year old boy, with further accusations she had elected to administer vaccines for the purpose of committing such fraud for a number of family and friends. The nurse was charged with fraud, with those charges later dropped due to lack of evidence. However, after investigation by AHPRA, the nurse agreed to surrender her registration and is now unable to work as a nurse in Australia. As with the case cited earlier in this chapter of doctors granting false exemptions, suspicions were raised by the number of people attending the clinic and asking for the nurse by name, triggering notifications and ultimately the arrest of the nurse.
The Pharmacy Guild submitted that there have been a small number of reports by pharmacists of being offered ‘significant’ bribes to ‘falsify Australian Immunisation Register records such that an individual may obtain a genuine COVID-19 vaccination certificate issued by the Australian Government’. The Pharmacy Guild further submitted:
Another concern is reports of individuals other than the person who has made the vaccination booking presenting for vaccination at a pharmacy for the purpose of enabling a vaccine hesitant person to obtain a genuine COVID-19 vaccination certificate without receiving the vaccine.
The Pharmacy Guild recommended ‘establishing a dedicated system for COVID-19 vaccination providers to report potential COVID-19 vaccination fraud’. Such a system has already been established. COVID-19 vaccination fraud can be reported via existing fraud reporting systems of Services Australia, a system already well-known to health professionals, and information on how to report is also provided on the Services Australia website.
