An investigation by The Guardian has exposed a serious Medicare security breach, with patient details for sale on a web site for illegal products.
The vendor, on a popular darknet site auctioning illegal products, claims to have access to any Australian’s Medicare card details and can produce them on request.
The darknet is popular with criminal organisations as information is not indexed or searchable.
The Guardian verified the vendor’s claims by requesting a staff member’s Medicare details, which were provided for a fee of 0.0089 bitcoin, which is equivalent to $29.
The card details are valuable to organised crime groups because they allow them to produce fake Medicare cards with legitimate information that can be used for identity fraud.
Card details can also be used to defraud the Government of Medicare rebates. In 2015, a police strike force targeted a group that was using Medicare card details to direct rebate payments into fraudulent bank accounts.
A spokeswoman for the Department of Human Services told The Guardian that the breach was being investigated.
The Government recently passed legislation requiring government agencies and private companies to alert the Privacy Commissioner and any people affected of any data breaches, but these laws do not come into effect until 22 February 2018.
The legislation requires agencies or companies to notify affected parties about the steps they should take in response to the data breach.
Human Services Minister Alan Tudge said the alleged data breach is being taken seriously and has been referred to the Australian Federal Police.
“The security of personal data is an extremely serious matter,” Mr Tudge said in a statement.
“I have received assurance that the information obtained by the journalist was not sufficient to access any personal health record. The only information claimed to be supplied by the site was the Medicare card number. The journalist was asked to provide his own name and date of birth in order to obtain the Medicare card number.”
This Medicare data breach is one of the worst in recent history and with the method being used to extract the information still unknown, it will prove very difficult for government agencies to track.
As both the Human Services and the Health departments have access to Medicare details, it will be tricky to find which party has been successfully hacked.
This breach is a horrible invasion of privacy that could lead to identity theft. And things could get worse if government agencies don’t beef up their security systems.
Next year, the full health records of all Australians will go into a centralised database called ‘My Health Records’ unless they opt out of the program. Many people would not have heard about the introduction of this scheme, much less the option of opting out, meaning that millions of Australians’ details will be vulnerable to hackers.
A centralised database with access points at any hospital or doctor’s surgery would be extremely vulnerable to hacking.
Germany has a safer system with patient details recorded on a chip on their medical cards. This means a patient’s full health record is available to medical practitioners without the need to access a massive database.
There is also an issue with private companies holding a great deal more medical information thanks to the Government privatising services.
Last year, the Government announced that Telstra Health would manage a new national cancer screening register. This was the first time the Government placed sensitive medical records in private hands, and this latest breach shows the difficulties with such an approach.
The Government’s Notifiable Data Breach (NDB) legislation scheduled to come into effect next year provides some comfort that private companies will do the right thing if they notice a problem. Government agencies, though, are much better placed to detect a breach or stop one occurring in the first place.
What do you think? Are you worried about your Medicare details ending up in the wrong hands?