The government has launched an internal investigation following reports the Medicare details of Australians are being sold on the dark web, and referred the matter to the Australian Federal Police.
As The Guardian revealed on Tuesday, a user operating on a popular dark web trading site was found to be selling the Medicare card number of “any Australian citizen” for about $30. The user said they had access to the details by “exploiting a vulnerability in the government’s system”.
The Guardian journalist allegedly proved the legitimacy of the sale by buying his own Medicare number.
While a Medicare number alone cannot grant access to health records, it can be used to create a fake card which can then be used for identification fraud.
The trader on the dark web, who uses the Department of Human Service’s logo, requests the full name of an Australian and their date of birth in order to supply their Medicare number, IRN and expiry date in exchange for payment in bitcoin.
The government quickly moved to downplay the reports, with Minister for Human Services Alan Tudge saying that this is not a cyber incident, and that only a “small number in the dozens” of Australians have been impacted by it.
“The report suggests that the numbers involved are very small and there is no indication that there has been a wide scale breach,” Tudge said.
“The advice I have received from the chief information officer in my department is that there has not been a cybersecurity breach of our systems as such, but rather it is more likely to have been a traditional criminal activity.”
Tudge said this means that “someone hasn’t hacked into a database” and pointed to a previous case where someone had broken into a medical clinic to steal Medicare numbers.
The Minister did not address concerns that the Medicare numbers could be used for identification theft, or that they appeared to be being accessed in real time, indicating a major vulnerability.
Despite the sale of Medicare details going on since October last year, the government and police claim were only made aware of the matter when they were told by The Guardian on Monday.
Shadow Minister for Human Services Linda Burney said this amounts to a “serious data breach”.
“People should be very concerned that their details might be in the hands of somebody else through a website that sells illegal goods,” Burney said. “It’s another major IT embarrassment for the government, and will place additional scrutiny on its planned $1 billion centralised e-health system.”
Tudge has said he will make further comment on the matter once the AFP had completed its investigation.
Update 10 July 2017: The Turnbull Government has commissioned a review of the accessibility by health providers of Medicare card numbers.