Claims the Medicare card numbers of all Australians are up for sale on the dark web have been referred for investigation by the Australian Federal Police, with the government insisting electronic health records are safe from nefarious access.
Medicare numbers have been illegally trading for less than $30 on the online marketplace for illegal products, according to an investigation by Guardian Australia.
The dark web vendor of the “Medicare machine” requires a name and date of birth to retrieve “Medicare patient details” by request, raising questions about the cybersecurity of Australian government agencies, including the Department of Human Services, which is responsible for Medicare.
Alongside the department’s logo, the vendor thanks the cyber-shop’s clientele for their patience during an outage.
“I see you guys missed me a lot more than what the Commonwealth did. Many thanks to all of you for your kind words of encouragement during the outage, much appreciated,” the hacker wrote.
Since its return online in October 2016, the Medicare machine claims to have sold 75 Medicare numbers for 0.0089 bitcoin each, the equivalent of $22.
Medicare card details are not publicly available and can be used for identity theft or to defraud the government of Medicare rebates.
In a press conference today Human Services Minister Alan Tudge said the department had informed him there had been no breach of its systems.
"The suggestions are the numbers are very small and we are talking about the acquisition of Medicare card numbers only," Tudge said.
"It is more likely to have been a traditional criminal activity," he said.
Concerns that the details could allow a malicious attacker to gain access to the My Health Record were unfounded, a spokeswoman for the Federal Department of Health said, with robust controls in place.
“Additional information is required to authenticate consumers or doctors as a user and provide access to records,” the spokeswoman said.
“Additionally, the My Health Record has real-time monitoring and surveillance including a record of every access to ensure it is authorised and identification and rapid response to suspicious activities.”
The My Health Record contains the records of almost five million Australians and in five years of operation has experienced no security breaches, according to the Department of Health.
Since returning to the dark web, the vendor claims to be able to access Medicare numbers by “exploiting a vulnerability which has a much more solid foundation which means not only will it be a lot faster and easier for myself, but it will be here to stay. I hope, lol.”