Medicare patient details are available to buy on the ‘darknet’

A popular site for illegal products offers Medicare details for $30.

Are your Medicare details for sale?

An investigation by The Guardian has exposed a serious Medicare security breach, with patient details for sale on a web site for illegal products.

The vendor, on a popular darknet site auctioning illegal products, claims to have access to any Australian’s Medicare card details and can produce them on request.

The darknet is popular with criminal organisations as information is not indexed or searchable.

The Guardian verified the vendor’s claims by requesting a staff member’s Medicare details, which were provided for a fee of 0.0089 bitcoin, which is equivalent to $29.

The card details are valuable to organised crime groups because they allow them to produce fake Medicare cards with legitimate information that can be used for identity fraud.

Card details can also be used to defraud the Government of Medicare rebates. In 2015, a police strike force targeted a group that was using Medicare card details to direct rebate payments into fraudulent bank accounts.

A spokeswoman for the Department of Human Services told The Guardian that the breach was being investigated.

The Government recently passed legislation requiring government agencies and private companies to alert the Privacy Commissioner and any people affected of any data breaches, but these laws do not come into effect until 22 February 2018.

The legislation requires agencies or companies to notify affected parties about the steps they should take in response to the data breach.

Human Services Minister Alan Tudge said the alleged data breach is being taken seriously and has been referred to the Australian Federal Police.

“The security of personal data is an extremely serious matter,” Mr Tudge said in a statement.

“I have received assurance that the information obtained by the journalist was not sufficient to access any personal health record. The only information claimed to be supplied by the site was the Medicare card number. The journalist was asked to provide his own name and date of birth in order to obtain the Medicare card number.”

Opinion: Centralising data, privatising records – this could get worse

This Medicare data breach is one of the worst in recent history and with the method being used to extract the information still unknown, it will prove very difficult for government agencies to track.

As both the Human Services and the Health departments have access to Medicare details, it will be tricky to find which party has been successfully hacked.

This breach is a horrible invasion of privacy that could lead to identity theft. And things could get worse if government agencies don’t beef up their security systems.

Next year, the full health records of all Australians will go into a centralised database called ‘My Health Records’ unless they opt out of the program. Many people would not have heard about the introduction of this scheme, much less the option of opting out, meaning that millions of Australians’ details will be vulnerable to hackers.

A centralised database with access points at any hospital or doctor’s surgery would be extremely vulnerable to hacking.

Germany has a safer system with patient details recorded on a chip on their medical cards. This means a patient’s full health record is available to medical practitioners without the need to access a massive database.

There is also an issue with private companies holding a great deal more medical information thanks to the Government privatising services.

Last year, the Government announced that Telstra Health would manage a new national cancer screening register. This was the first time the Government placed sensitive medical records in private hands, and this latest breach shows the difficulties with such an approach.

The Government’s Notifiable Data Breach (NDB) legislation scheduled to come into effect next year provides some comfort that private companies will do the right thing if they notice a problem. Government agencies, though, are much better placed to detect a breach or stop one occurring in the first place.

What do you think? Are you worried about your Medicare details ending up in the wrong hands?

RELATED ARTICLES





    COMMENTS

    To make a comment, please register or login
    TREBOR
    5th Jul 2017
    10:12am
    Absolutely. There is no honour amongst thieves and no concept of retaining the integrity of information entrusted to your care, the offering of which those included have no control, and over which organisations such as this exercise a jealous and absolutely exclusive control should anyone else request information.

    At the same time, since they 'control' information (one of the primary requisites for establishing social control over a populace), they then feel 'entitled' to 'earn' a profit by offering for sale parts of that information that are of value to OTHER corporate vultures, in their endless quest for opportunities to exploit that general populace.

    Once upon a time in the mythical land of Oz, it was forbidden for any public servant to give out information, on pain of up to two years imprisonment etc.

    I, for one, have had cause to refer to the Minister and the AFP the abuse of trust involved in Department of Defence employees willy-nilly handing out sensitive information to 'mates', and thus often creating strife for some with a need to retain anonymity.

    My point is that this kind of thing has become the norm for 'government' bodies and their 'privatised' mates - all of whom feel that they have an absolute entitlement to do with anything held by them as they choose, and particularly if it can generate a 'profit' these days.

    There is no longer any trust relationship with government and its departments in this nation - and it is high time this (what I call) Lower European/Central European/Middle Eastern style of nation management was consigned to the rubbish heap where it always belonged.

    Despite what the peasants from those region may think - not everything is available for their profit ..... and especially sensitive information held in trust by government and its agencies.

    There endeth the lesson.
    Triss
    5th Jul 2017
    10:19am
    Am I allowed to ask for a copy of my Medicare records to check that nothing fraudulent has been added?
    MICK
    5th Jul 2017
    11:04am
    If anybody anywhere thinks their data is safe then go buy a lottery ticket. Whilst my main concerns are around third world Call Centres and their operations I understand that data is there to be hacked. It just takes the right skills and plenty of people out there who have them.
    Fingerprint and retina scans are coming to identify us. Welcome to the future.
    TREBOR
    5th Jul 2017
    11:34am
    Get in early and get your barcode tattooed on your forehead NOW - before the rush... (discount applies to two or more barcodes)... bulk billing available....
    KSS
    5th Jul 2017
    12:10pm
    Triss, Yes. You can even get copies of your paper based records too if you want them although some doctors may charge a fee for copying them for you. With the electronic My Health records you will be able to access them too.
    Triss
    5th Jul 2017
    2:19pm
    Thanks, KSS.
    Rosret
    5th Jul 2017
    2:29pm
    KSS -Its the My Health records that's the problem.
    KSS
    5th Jul 2017
    5:38pm
    Problem or not Rocket you will still be able to access your health record unless you have opted out.
    Tom Tank
    5th Jul 2017
    10:15am
    Modern technology is wonderful until it goes wrong then the proverbial hits the fan. If you have ever been in a major store when their computer system goes down and they have to process all sales by hand you will know what I mean.
    That is a trivial example but if you include the fact that if malicious forces are also at work then our reliance on electronic computerised equipment is at serious risk.
    Nothing is foolproof or totally secure despite what so called experts say as so many are involved in promoting this type of equipment.
    I may seem like a Luddite but I believe we need to take great care in relying so heavily on man made computerised control systems. There are only as good as the man who made them.
    TREBOR
    5th Jul 2017
    11:36am
    Any system made by man can be undone by man..... that's a given in any security situation.... NO situation is so secure that there are no avenues for intrusion and/or leakages....

    Loose bits sink chips.....
    Rosret
    5th Jul 2017
    10:32am
    Again and again and again. What is the matter with the government bureaucracy. So busy with being statistical busy bodies attempting to save money by controlling the herd and its back fired big time.
    Why don't they employ some of the bank's (Australian) computer programmers and find out how to run a secure IT department. Unbelievable. Stop outsourcing!
    Rosret
    5th Jul 2017
    10:34am
    ...and this is going to be so much bigger than just the dark web at work here.
    KSS
    5th Jul 2017
    12:14pm
    Rosret, you clearly have access to a computer and the internet and that alone makes you vulnerable to hackers. No point in blaming the Government (this or any other). There have always been thieves and rogues and there always will be. All you can hope to do is mitigate the risk.
    Rosret
    5th Jul 2017
    2:41pm
    KSS of course I am blaming the Government bureaucracy. I am well aware of the risks using the internet and I CHOOSE what I access. The government is taking our data and choosing for us. There is no onus on them for the damage they are doing. From the Census, to Centrelink and now this. The next thing will be the paperless driver licences.
    KSS - I don't know what your background is but it would be very naive to think this is OK.
    Students report cards are being generated on online software. Name, DOB, address, religion, subjective comments, marks - an unbelievable database of children's information - and people think its OK! Wait for that one to come back and bite.
    The My Health scheme has put no value on the individual's medicare card or their privacy and to automatically be assigned to a system without asking I find very presumptive.
    AutumnOz
    5th Jul 2017
    6:46pm
    Agreed Rosret, there is no excuse for students personal details to be available to anyone(hackers) who wish to access it. It is a disgrace and is going to create problems for millions in the years to come.
    GeorgeM
    5th Jul 2017
    7:36pm
    Agree, Rosret, except the idea of using the "bank's (Australian) computer programmers" also means using outsourced staff in India (mainly), as most Australian banks have outsourced most IT work to Indian companies. So, the risk remains the same - both for security & quality. They must simply stop outsourcing.
    TREBOR
    6th Jul 2017
    1:45am
    Simple solution - you outsource, you pay a tax or fee to the Australian government that makes it equal to your keeping it here in your own pants...

    I short you not - many governments will soon be doing exactly that, due to the drain on their internal economy and the security issues that will rear their ugly heads.
    KSS
    6th Jul 2017
    7:43am
    Rosret calling me naive at the same time you admit to using the internet yourself is much like the pot calling the kettle black!
    Old Geezer
    5th Jul 2017
    10:51am
    Whole Medicare system is full of holes. I've lost count of the number of Medicare claims I have signed for others as all they need it s signature and it doesn't matter whose it is.
    Waiting to retire at 70
    5th Jul 2017
    11:12am
    "This breach is a horrible invasion of privacy that could lead to identity theft. And things could get worse if government agencies don’t beef up their security systems."

    This statement in your article goes to the core of the issue AND challenges matters surrounding the centralisation of data today, be it personal or otherwise, but doesn't actually identify where the failing lies.

    The fact that the Guardian has alleged the sale of private data on the dark web has been going on since October last year is a result of a failure to understand the risks of technology in today's world. So when a prime minister appoints a "Cyber Security Special Advisor" it seemed we'd have an expert in technology protecting us from the dark side of things. Someone who has a deep understanding of cyber space, technology, and how the world of data and computers fundamentally worked. Maybe someone who has a PhD in computer science, mathematics, or the like. Someone who's worked in the industry for many years. Unfortunately not. When you look at the background of the person appointed you find:
    " He studied politics at the University of Sydney, joined the Liberal Club and worked briefly for Liberal senator Michael Baume. Then the Bachelor of Arts graduate joined the blue collar and relatively young Australian Federal Police in 1989." ***

    Impressive as his resume is, is it what is required for our cyber protection tzar? Do we want someone in place to PREVENT opportunities of breaches like the Guardian alleges? Or someone who can catch a perpetrator? Obviously we need both but prevention has always been better than cure. So who's on prevention watch?

    Why is the prime minister's special adviser reporting to him? Why doesn't the government ensure every department using technology today has their own security specialists working to build systems that are protected from such cyber exploitation? Or did we lose them all as part of the 15,000 job cuts since the Coalition was elected to government in 2013? And will we lose the rest with the mooted 4,500 job cuts as Turnbull continues with his "efficiencies program"? You reap what you sow.

    Or is this just the typical 'bubble and squeak' from our politicians?

    *** http://www.smh.com.au/federal-politics/political-news/meet-alastair-macgibbon-malcolm-turnbulls-disruptive-risktaking-cybertsar-20170302-gupnzz.html
    BrianP
    5th Jul 2017
    11:13am
    Wake up!

    Alarm bells are ringing. The Government and Human Services and the Health departments are a bunch of amateurs compared to their counterparts in the US and EU. They are not providing enough protection to Aussies. Handing over to private companies is even worse.

    Come on! Time to get professional and do the job we pay you for right.
    Maggie
    5th Jul 2017
    11:21am
    We have been assured that while card numbers can be bought, no data is compromised. Until we have proof that it actually has, we are being stirred up by sensationalism.

    I do not believe that in this day and age anyone's details are private any more and anyone who uses google, facebook, twitter, in fact the internet in any way at all has already given away more about themselves than any govt. website can do.
    TREBOR
    5th Jul 2017
    11:39am
    Wake up, Maggie - I think I've got something to say to you....

    Any and all information demanded by government for operation of its services to the public is sacrosanct - no ifs, no buts, no arguments.

    I've long stated that it is of no interest to me that my cyber-activity can be monitored - the security services know who I am, and quite frankly, I would be working for them today if they were able to incorporate differing approaches and views from the ones they are hide-bound into by many factors...

    (any organisation that cannot effectively assimilate and utilise dissent is not a strong one - Kennedy said something like that - and what he meant was that any organisation that is made up of YES people is weak and always will be)....
    Maggie
    5th Jul 2017
    6:33pm
    Not quite sure what you want to say to me. I agree that govt. info SHOULD be safe. I did not imply otherwise.

    Unfortunately we all know that there are smart hackers out there . . . .What a pity you are not working for the security services, helping to outsmart them.
    TREBOR
    6th Jul 2017
    1:47am
    Outsmarting hackers is not my forte... I do other stuff pretty well, though.
    Maggie
    5th Jul 2017
    11:22am
    We have been assured that while card numbers can be bought, no data is compromised. Until we have proof that it actually has, we are being stirred up by sensationalism.

    I do not believe that in this day and age anyone's details are private any more and anyone who uses google, facebook, twitter, in fact the internet in any way at all has already given away more about themselves than any govt. website can do.
    Waiting to retire at 70
    5th Jul 2017
    1:00pm
    Maggie, I don't think the worry is one's personal health details. And the minister in his statements has indicated that such data has not been compromised; and we have to accept that until otherwise proven.

    However, the data that has been compromised is one's details related to identity. Quite frankly for me, that is more of a problem.

    With my health data you can do what?

    With my personal data you can use it as a starting point to steal my identity. For some identification purposes (like a passport maybe***) a medicare card carries a weighting factor of up to 40 points (out of a hundred) as proof of identity. So if you steal a credit card or two of mine out of my letter box, with them and a fake medicare card and a electricity bill or gas bill (also stolen from my letter box), you can become me for a motor vehicle license, for a passport for a firearm license, to purchase ammunition, explosives, etc. Or in some states, be able to sell my property or transfer the title deeds to someone else.

    As a result of the Guardian's alleged occurrence of selling duplicate medicare cards since last October last year, the personal data of every Australian may have been at risk providing potential benefits to criminals and possibly terrorists. That should be the concentration of the federal government, not just medical records. Given the Minister has said these haven't been compromised it should be the prime minister and his "Cyber Security Adviser"/tsar, who need to be taking the lead on this matter and providing the details of what they are doing to stop such occurrences.

    *** https://www.passports.gov.au/passportsexplained/theapplicationprocess/eligibilityoverview/Pages/confirmingidentity.aspx
    Rosret
    5th Jul 2017
    2:59pm
    They can use it to get free Australian health care at the nation's cost. That isn't just one $70 doctor visit - its the big heart, brain and cancer ops. It could cost Australia millions.
    Not a Bludger
    5th Jul 2017
    11:55am
    This will get worse before it gets better (hopefully).

    There is no such thing as internet security - just look at all the recent hacks of military, security and political agencies around the world.

    Why the government and civil service tries to pretend otherwise beggars belief.
    Liverpool Anne
    5th Jul 2017
    12:14pm
    you nailed it on the head
    KSS
    5th Jul 2017
    12:24pm
    You can always opt out of My Health.

    One of the reasons this has become and 'opt out' scheme rather than 'opt-in' is because GPs were not using it or at least very few. Sign up targets were not met so the Government changed the rules to force GPs to upload patient information.

    Personally I can see merit in having all medical records in one place and accessible by medical professionals. Fewer people these days have a family GP, they doctor shop all the time. Having all medical records in one place would not stop this shopping around but it would allow doctors to see their medical history.

    However, there have already been requests by organisations such as insurance companies to access the information on claimants, security services, and a range of other non medical parties. That concerns me far more than the possibility of wholesale hacking
    nettiser
    5th Jul 2017
    1:17pm
    You can't guarantee data security when using a network operating system that a 12 tear old can breach. Microsoft networks are fraught with holes that a kid can drill into it. Once Governments and business had secure networks, like Novell and other languages like Fortran which were not easy to break into.Microsoft do not debug their releases,they pop them out and let the users find the bugs and holes then issue a patch. Their systems are like many South Australian roads, full of patches.It's no wonder that sensitive data is being sold on the darknet and anywhere else it can earn money for the hackers.It's not a good idea to centralise data either. SA did that with hospital data, after it deconstructed the government computing department and sold it off to a American company. This company then charged us for accessing our own data at blackmail rates.Time to bring Sensitive data back under a real network and in the hands of honest screened IT staff
    Rosret
    5th Jul 2017
    2:55pm
    There was a time that data that needed to be transmitted securely went on a privately rented line and stored in a separate location offline. How did we get so blasé?
    Rae
    5th Jul 2017
    3:32pm
    I wonder if that is why Mac users have so much trouble with the my gov site?
    GeorgeM
    5th Jul 2017
    4:31pm
    Agree, nettiser. Also, the outsourcing of most IT work means some low-paid techo in India (who is subject to heaps of temptations) may be writing the software - even if the front here is a major IT company as they all are using such outsourced staff.
    Old Dog
    5th Jul 2017
    1:44pm
    Mick, (somewhere in these comments) Been to the USA recently?Retina scanning and fingerprinting on entry are standard.
    Rosret
    5th Jul 2017
    2:45pm
    Have you seen the movies. - they just cut off the human bits they need if its important enough. It takes crime to a new level.
    floss
    5th Jul 2017
    2:08pm
    Privatise and perish , it is the way this lazy Federal Government likes to go and there is no going back . What a bloody disaster can we afford to wait till the next election and will the next party be much better
    Rosret
    5th Jul 2017
    2:49pm
    This isn't a political party. This is government bureaucracy making decisions and outsourcing IT projects. Its going to take a huge effort and public discontent to change the thinking of these public servants.
    TREBOR
    5th Jul 2017
    3:30pm
    Government determine direction - public service implement it via internal policy and rules/regulations.
    GeorgeM
    5th Jul 2017
    4:37pm
    Govts have also caused the outsourcing, hence drop in quality. But, this started from Labor (Keating) who destroyed the local IT with the first major IT recession in 1990, and has been in vogue since then. If political parties want they can insist on local staff for such sensitive work & access to sensitive data, but will they do it - can't see either Liberal or Labor enforcing that.
    TREBOR
    5th Jul 2017
    4:46pm
    Outsourcing is too good a pork barrel and too good an opportunity to fund your mate's lifestyle....
    TREBOR
    6th Jul 2017
    1:50am
    Sorry - that's internal to Oz outsourcing - when they outsource our national interests overseas, it's all about a few dollars...

    Remember Margie from the Fargo first run? All this for a little bit of money?

    This will come back to haunt this nation some day.....
    AutumnOz
    5th Jul 2017
    2:49pm
    We have many well trained IT people in Australia who would be happy to design a good and highly secure system for each and every government department and provide them with up to date anti virus and malware.

    However each government department seems to run on ancient, insecure systems a child could hack into in a couple of seconds. It is pathetic.

    Also the practice of hiring people from off shore companies to do security work in Australia is becoming more common with information supplied to those companies which should remain securely in the hands of the government department not given out for those outside that department to enter into software.

    My rant for the day.
    Rae
    5th Jul 2017
    3:30pm
    Yes and using Telstra who is based in the Phillipines is fraught with danger.
    GeorgeM
    5th Jul 2017
    4:42pm
    Absolutely agree, AutumnOz. They pretend that work was given to IBM, Oracle etc, therefore it must be safe - whereas every such company also outsources work to India, Philippines. etc, i.e. countries where corruption is rampant.
    meg
    5th Jul 2017
    3:13pm
    It is very hard to get our own information when needed

    Pathetic world we live in
    Rae
    5th Jul 2017
    3:28pm
    How long do you think it will be before the first scam starts in the Lands and Title office in NSW now it has been sold to private overseas corporates?
    MjP
    5th Jul 2017
    3:50pm
    At the moment no one knows where the 'baddies' got the details, there is no evidence that Medicare systems have been hacked. So let's stop blaming Medicare and spend time finding out where the hack occurred.
    TREBOR
    5th Jul 2017
    4:47pm
    Plenty of hacks at the top of the tree in government and business.....

    (ta-boom-tisssshhh)...
    Jim
    5th Jul 2017
    5:02pm
    Is this just another piece of scare journalism by the guardian or is there a real danger to any of us, has someone got a hidden agenda in publishing this stuff and where do these people get their information from it has to be from an illegal source I would think. I am not sure how much of our information has ever been safe I often get cold callers that seem to know as much about me as I know myself, this is the future unfortuanately technology has already taken over most of our lives.

    5th Jul 2017
    5:25pm
    Why does this site publish so much negative journalism

    Where are the positive , good articles.

    Do you think that oldies are only interested in bad news?

    So much great stuff out there - life is good. Enjoy !!!
    Maggie
    5th Jul 2017
    6:36pm
    Thank you! One wonders just who is behind all this negative stuff.
    TREBOR
    6th Jul 2017
    1:55am
    If there were positives to report....... but remember the canary in the coal mine? Better to discuss things NOW than when you have just drawn your last breath....

    It's a bit like what I posted elsewhere - without Sheriffs of Nottingham there would be no Robin Hood taxes.....

    Every journey of a thousand miles starts with a single step (and a single groan) - if we, the people, are to regain some control over our nation and insert responsible management on our behalf in that nation - every little bit counts..... and the more people become aware, the more they will start to seek answers....

    Walk a mile in these politician's and public servant's shoes! After you've hamstrung them, they'll never catch up with you to get them back!

    5th Jul 2017
    5:27pm
    This is a problem world wide, not just Australia. If the Pentagon can be hacked what chance do mere public servants in IT have. Every time I use a credit card, a part of me goes with that transaction and finishes up God knows where. Electronic data is unsafe at all times and I hope that my wife and I never have our identity stolen. How a stolen identity is used is the frightening bit. All of us have read about people being fined, made bankrupt, lost assets and worse because their ID was stolen and authorities don't believe the victim.
    Eddy
    5th Jul 2017
    8:22pm
    While I do not pretend to know all the technical problems involved, I suggest the only way to protect our personal data is to isolate that data to networks that are not connected to the internet, Surely our wonderful NBN can provide these secure networks. I know Defence has a similar network which uses dedicated microwave and/or satellite transmission totally isolated from the internet. Why not?
    Anonymous
    5th Jul 2017
    10:05pm
    I am also very light on IT knowledge Eddy but I think the most secure network is the Dark Web. All of the stuff we use can be hacked.
    Dot
    5th Jul 2017
    8:58pm
    What a surprise, hasn't this whole country been sold off.
    Old Geezer
    10th Jul 2017
    2:11pm
    Yes so what people can do is simply don't deal with foreigners or buy foreign products. If it's not made in Australia I don't buy it myself. Anyone that rings with a foreign accent gets no assistance form me. If everyone did the same we would send the foreigners packing.

    8th Jul 2017
    8:11am
    Many years ago a programmer I know well accidentally broke into the APRA database of trustees of self-managed super funds. He didn't intend to break in, and when he realized he had accessed private information he immediately phoned APRA and told them how he had achieved that. The response was ''it's not possible''. They refused to take his claim seriously until he actually sent them a file containing all their data, along with specific instructions how to have their own programmers create a similar file.

    I'm not at all surprised that other confidential databases held by government agencies are able to be compromised. The security just isn't up to scratch, and those responsible for it are far too arrogant and self-opinionated. Anyone not concerned about the implications of these breaches is naïve. I guess we all just have to wait and see what results from this latest fiasco, but at best it will be expensive for the nation.
    Old Geezer
    10th Jul 2017
    2:08pm
    Rainey no system is 100% secure as if it was no one could use it. So all systems can be hacked. I have two identities now that I use so as to keep my actual identity secure as I possibly can. Yes I only use my real date of birth when it can be checked and use a false one for everything else.

    Remember there is no such thing as a confidential database as if they can be used they can be hacked.
    Blossom
    10th Jul 2017
    3:29pm
    If Telstra are going to handle the Bowel Cancer Register I am not sending back information a second time
    Old Geezer
    10th Jul 2017
    4:26pm
    I send mine back all the time as it is a waste of time.
    codger
    23rd Nov 2017
    1:18pm
    why are these idiots in government not looking at other alternatives eg. the German idea of having your info. on a chip in your medicare card? answer! because they are too bloody stupid to consider that there is something better than what they have duh!!!


    Join YOURLifeChoices, it’s free

    • Receive our daily enewsletter
    • Enter competitions
    • Comment on articles