Reports claim that Australia's Medicare system has been breached and people can now buy the medicare details of any Australian individual for about AU$30 on the Darknet. It is believed that the breach did not occur as a result of a cyber attack and that the information was likely accessed via a doctor's office or through another unknown vulnerability.
It is not surprising that the seller was able to easily breach the Medicare system. Records show that there are over 200,000 medical professionals and administrative staff that are authorised to access personal health records. With a single phone call, the only requirement is to provide the name and date of birth of the victim before receiving the individual's Medicare number.
However, investigations are still ongoing and nothing has been confirmed. A statement released by the government says that it is taking these reports very seriously and has referred the matter to the Australian Federal Police for investigation.
Paul Farrell, a journalist at The Guardian, was able to verify the validity of this breach by buying his own details from the vendor who goes by the name the "Medicare Machine". In a Tweet, Farrell wrote, "I purchased my own Medicare card details from the Darkweb auctioneer for just $20USD. The vendor even uses a fake Aus gov logo". Before going public with the breach, the news site brought it to the attention of the relevant departments in government.
In spite of this, Minister of Human Services Alan Tudge has said, "People's health records are not at risk because of this, because your card alone doesn't give you access to your health record". This may be why the memo that ordered Australian Tax Office employees to decline Medicare cards as proof of identity was almost immediately retracted. However, medicare details have been known to be used by criminals (specifically organised crime) in identity theft.
According to The Guardian, the vendor has been selling Medicare numbers on the Darknet since 2016 and has sold at least 75 card details since then. The vendor also plans to begin selling the personal details in bulk upon request.
This incident does not bode well for the Australian Government and may push many people to refuse the My Health Record initiative which aims to centralise Australians' medical health records. Next year an account will be made for every Australian individual, but if people lose faith in the government's ability to secure their privacy, many will opt out of this project. This is due to the fact that if this initiative is implemented, the centralised database will be accessible to 100,000 hospitals and medical centres, making personal health records even more vulnerable to breaches.