An alarming report has revealed the private Medicare card details of any Australian are available to buy via “The Medicare Machine” – a darknet vendor exploiting an alleged vulnerability in the government agency which the seller hopes is “here to stay”.
Guardian Australia lead the investigation, verifying the claims by requesting the details of a Guardian staff member. All you need, they say, is the first and last name – as well as date of birth – of any individual. Then you receive their full Medicare card details.
The Medicare details of at least 75 individuals have been sold via the vendor in the last nine months alone, with the current going rate 0.0089 bitcoin ($29.75).
The Department of Human Services, Department of Health, Australian federal police and information commissioner have been made aware of the breach.
You can read the full report here, and further details as to exactly how much information is being made available (is it just card numbers? or are medical records sold as well?) have been requested. We will update as we learn more.
[referenced url=”https://gizmodo.com.au/2016/05/nbn-for-health-nsw-ehealth-strategy-announced/” thumb=”https://gizmodo.com.au/wp-content/uploads/2016/05/online-doctor-410×231.jpg” title=”The ‘NBN Of Health’: NSW eHealth Strategy Announced” excerpt=”A strategy for eHealth, a “digitally enabled and integrated health system” with a focus on delivering “patient-centered health experiences with quality health outcomes” was today announced by the NSW Minister for Health, Jillian Skinner.”]
Even if it is just the card details, what can buyers actually do with this information? Identity theft is the big one. Your Medicare details could be used to open bank accounts, apply for credit cards, start an illegal business or apply for a passport. Your details could also be used to commit serious crimes, such as money laundering and – in extreme cases – terrorist acts.
If you think you may be at risk, contact IDCare.
Minister for Human Service, Alan Tudge, released the following statement regarding the report:
Claims made in the Guardian newspaper that Medicare card numbers are able to be purchased on the dark web, are being taken seriously by the government and are under investigation.
These claims have also been referred to the Australian Federal Police.
The Guardian claims that one of its own journalists bought his own Medicare card details from the dark web.
I have received assurance that the information obtained by the journalist was not sufficient to access any personal health record. The only information claimed to be supplied by the site was the Medicare card number. The journalist was asked to provide his own name and date of birth in order to obtain the Medicare card number.
Any apparent unauthorised access to Medicare card numbers is nevertheless of great concern.
I cannot comment on cyber operations, however, I confirm that investigations into activities on the dark web occur continually. The security of personal data is an extremely serious matter. Thorough investigations are conducted whenever claims such as this are made.
The Department of Human Services receives ongoing advice and assurance regarding its cyber security capabilities from the Australian Signals Directorate, the nation’s top cyber security agency.
The Government has an ongoing commitment to prioritise cyber security and is constantly working to further improve our capability.
[referenced url=”https://gizmodo.com.au/2017/01/your-metadata-isnt-private-personal-information-federal-court-decides/” thumb=”https://gizmodo.com.au/wp-content/uploads/2017/01/iStock-458310063_1080-410×231.jpg” title=”Your Metadata Isn’t Private Personal Information, Federal Court Decides” excerpt=”A long-running case on whether you’re allowed access to view your own mobile phone metadata — retained by Australia’s telecommunications companies for government snooping, including comprehensive call logs and location data — and whether that data is classified as “personal information” has come to an unceremonious end.
Australia’s Federal Court has put a stop to a final attempt by Australia’s peak privacy advocates to restrict the retention and access of information by Australia’s telcos, and the judgment will have wide-ranging implications for what information is considered personal under the terms of the Privacy Act.”]