An alarming report has revealed the private Medicare card details of any Australian are available to buy via “The Medicare Machine” – a darknet vendor exploiting an alleged vulnerability in the government agency which the seller hopes is “here to stay”.
Guardian Australia lead the investigation, verifying the claims by requesting the details of a Guardian staff member. All you need, they say, is the first and last name – as well as date of birth – of any individual. Then you receive their full Medicare card details.
The Medicare details of at least 75 individuals have been sold via the vendor in the last nine months alone, with the current going rate 0.0089 bitcoin ($29.75).
The Department of Human Services, Department of Health, Australian federal police and information commissioner have been made aware of the breach.
You can read the full report here, and further details as to exactly how much information is being made available (is it just card numbers? or are medical records sold as well?) have been requested. We will update as we learn more.
Even if it is just the card details, what can buyers actually do with this information? Identity theft is the big one. Your Medicare details could be used to open bank accounts, apply for credit cards, start an illegal business or apply for a passport. Your details could also be used to commit serious crimes, such as money laundering and - in extreme cases - terrorist acts.
If you think you may be at risk, contact IDCare.
Minister for Human Service, Alan Tudge, released the following statement regarding the report:
Claims made in the Guardian newspaper that Medicare card numbers are able to be purchased on the dark web, are being taken seriously by the government and are under investigation.
These claims have also been referred to the Australian Federal Police.
The Guardian claims that one of its own journalists bought his own Medicare card details from the dark web.
I have received assurance that the information obtained by the journalist was not sufficient to access any personal health record. The only information claimed to be supplied by the site was the Medicare card number. The journalist was asked to provide his own name and date of birth in order to obtain the Medicare card number.
Any apparent unauthorised access to Medicare card numbers is nevertheless of great concern.
I cannot comment on cyber operations, however, I confirm that investigations into activities on the dark web occur continually. The security of personal data is an extremely serious matter. Thorough investigations are conducted whenever claims such as this are made.
The Department of Human Services receives ongoing advice and assurance regarding its cyber security capabilities from the Australian Signals Directorate, the nation's top cyber security agency.
The Government has an ongoing commitment to prioritise cyber security and is constantly working to further improve our capability.