Three former Australian Federal Police (AFP) commissioners had their Medicare details put up for sale on the dark web.
Documents released through freedom of information (FOI) reveal that former AFP commissioners Mick Keelty, Tony Negus, and Andrew Colvin had their Medicare details placed on the now-defunct Alphabay marketplace.
An AFP spokesperson told the ABC that it knew the commissioners’ details had been up for sale, but did not know if any were ever sold.
Journalist Paul Farrell lodged the FOI request.
He has been following the dark web sale of Medicare information since buying his own card details off the dark web in 2017.
Two years ago I bought my own Medicare card details on a darkweb auction - and the department of human services still hasn’t fully implemented all the recommendations of an independent review into access controls of Medicare data— Paul Farrell (@FarrellPF) December 16, 2019
The sale of Medicare card details highlights concerns over the implementation of health data.
An independent review of access to Medicare card numbers, released in 2017, said that Medicare card numbers, like those sold on the dark web, are “an important component of Australia’s proof of identity processes”.
“The Medicare card can be used to help verify an identity and, like any evidence of identity credential, is therefore susceptible to theft for identity fraud and other illicit activities,” the report says.
“Illegally obtained Medicare card numbers could also potentially be used for fraudulent Medicare claiming or to enable ineligible individuals to access Medicare funded health services.”
It notes that sale of Medicare data could “reduce public confidence in the security of government information holdings, such as the My Health Record system”.
Privacy concerns have been abundant throughout the implementation of My Health Record.
Shared cybersecurity risk was an area that the Australian National Audit Office found “disappointing” about the My Health Record rollout, specifically around sharing information with healthcare providers and other third parties.
A journal entry mentions the sale of the AFP commissioners' Medicare details
The AFP said in the released case notes for Operation Elaphiti that it was was aware of public backlash around this issue.
“With the changes earlier this year to My Health Record from an opt in to an opt out system, and the ensuing media coverage, vulnerabilities within the Medicare system are highly likely to attract significant political and media interest.”
The AFP had been investigating Alphabay since 2017 following reports that Medicare data was being sold on the site.
According to the AFP documents, “up to 160 Medicare numbers were suspected to have been accessed unlawfully”.
The redacted documents show that agents executed search warrants in relation to the vendors who were selling Medicare data, but it does not appear as though any arrests were made.
Like the infamous Silk Road, Alphabay was a site trading in black market materials – including data from high profile hacks.
Alphabay was shut down in mid-2017 after a US law enforcement operation saw the arrest of alleged site operator Alexander Cazes who was found dead in his Thai prison cell days later.
Operation Elaphiti was suspended in June last year before shortly being reactivated after more sales were spotted.
The AFP agent’s journal notes that in September last year a new marketplace had opened up and was selling Medicare details.
Although the AFP was “aware of new advertisements” on this new site – presumably of Medicare information – the police were “reluctant to pursue due to resources”.
Official case notes mention that, due to the “scale of offending it would not be in the public interest to allocate further resources to the investigation”.