In July, a Guardian journalist, Paul Farrell, reported that he had recently bought his Medicare number from a darknet market vendor. Minister for Human Services, Alan Tudge, called the theft a “traditional” one not a cybersecurity breach. He then called upon the Australian Federal Police for assistance.
Farrell found a vendor on (the now non existant) Alphabay who sold stolen Australian ISP email logins, Australian credit cards, and now stolen Medicare numbers. Starting October 2016, under the name “OzRort,” this vendor provided buyers with Medicare numbers for a person of their choosing. And for only 0.0089 bitcoin (around $22).
On July 4, Tudge sought to downplay the potential damage these numbers could cause. “The suggestions are the numbers are very small and we are talking about the acquisition of Medicare card numbers only,” Tudge said. He continued by explaining that “nobody’s health records can be obtained just with a Medicare card number.” And finally that no breach of the DHS systems had occurred. “It is more likely to have been a traditional criminal activity,” he said.
The darknet marketplace vendor claimed that he collected the numbers by “exploiting a vulnerability.” The listing outlines the process for buyers: “leave the first and last name, and DOB of any Australian citizen, and you will receive their Medicare patient details in full.”
The data required by the vendor is no different than the data required by Australia’s Healthcare Professional Online Services (HPOS). Enter a name and DOB into the Medicare verification system and receive Medicare card and individual reference number. Give the vendor a name and DOB and receive the same number.
“When a Medicare card number is unavailable, you can enter personal information such as surname, first name and date of birth for the patient. The postcode, locality and suburb fields are used to further refine a search when more than one member of the public matches the information entered.
The mandatory fields used for searching are:
- surname/family name
- first name
- date of birth”
Tudge adamantly defended the possibility that a breach occurred. He likened the situation to one where someone had broken into a doctor’s office. On Sky News, where Tudge made the doctor’s office analogy, the host asked, “are you saying, coincidentally, they broke into the same doctor’s office that the reporter goes to?”
“I’m just not adding any further commentary on this,” Tudge said. “I just don’t want to jeopardise any investigation.” He said that he had suspicions but was going to let the Australian Federal Police do their job. “Claims made in the Guardian newspaper that Medicare card numbers are able to be purchased on the dark web, are being taken seriously by the government and are under investigation.”
“Thorough investigations are conducted whenever claims such as this are made,” Tudge said. “The Government has an ongoing commitment to prioritise cyber security and is constantly working to further improve our capability,” he added.