The source for Medicare data available for sale on the so-called “dark web” is unlikely to be from a hack of Medicare’s databases, Human Services Minister Alan Tudge has claimed. But that doesn’t make it any less concerning.
Guardian Australia journalist Paul Farrell yesterday revealed he had been able to buy his own Medicare card number on an online sales site on the “dark web” — part of the internet only accessible via a special browser where illegal drugs, guns and other illicit goods are up for sale — for less than $30.
The seller claimed that anyone’s Medicare details were accessible through the service if you provided a first name, last name and a date of birth. The site reportedly claimed to have provided 75 Medicare card numbers since October last year.
The government, while essentially confirming the breach and referring it to the Australian Federal Police, sought to downplay the problem. Tudge said repeatedly in a press conference yesterday, and in an interview on ABC RN Breakfast this morning, that health records had not been accessed. That is not the biggest concern from the revelation, however.
Medicare cards are a form of government ID that can be used in applying for credit cards and other services, and people could create their own Medicare cards and use that for healthcare fraud.
Tudge also said in interviews over the past two days that to the “best of the government’s knowledge” the Medicare database had not been hacked. He referred to it as “traditional criminal activity” rather than a “cyber attack”.
What he means here — but can’t say due to the ongoing investigation — is that the attack is much more likely to be that of someone with access to systems to look up Medicare card numbers. Tens of thousands of healthcare providers from hospitals to GPs to pathologists have access to an online portal where they can look up a person’s Medicare details using the same details needed by the dark web seller, so it is quite possible that either one healthcare provider’s access has been compromised, or someone working for one of those healthcare providers is using these systems fraudulently. This is backed up by Farrell reporting it took several days for the seller to obtain his data (suggesting someone had to go look it up), and that the database isn’t for sale as a whole.
One of the lines of investigations the AFP and Human Services will likely be undertaking right now is checking who last accessed Paul Farrell’s Medicare details — assuming access logs exist. In 2014, the ANAO criticised the Department of Human Services for not having proper access controls for users who had access to its legacy Medicare Data Warehouse — which was then due to be decommissioned in 2014. If the department hasn’t heeded this advice, it will likely face more heat from not only the auditor, but the AFP.
The government drawing the line at what is considered a “cyber attack” and what is “traditional criminal activity” is also curious. Much was made last year of the government’s report on the “threat of the trusted insider“, but most of the talk from the politicians down on that was related to preventing a leak to the media from an Edward Snowden or a Chelsea Manning — in other words, an employee. In Manning’s case, she took files out on a CD, in a relatively manual fashion. Would that be considered a cyber attack or traditional criminal activity?
Crikey asked the minister’s office for a clarification on the definition of “traditional criminal activity” but received no response.
Good reporting. Putting it in appropriate context that this is not a significant issue at all. If many of our 80,000 healthcare workers can access our medicare card details then it’s hardly compromising to our privacy if someone ‘dark’ can then on-sell that.
The hysteria from some commentators on this pretty benign matter has been ridiculous.
Re form – “Leaky” Tudge was also “(the Minister) responsible” for Centrelink debt notices – and the use of departmental information for the slagging of Andie Fox?
A few years ago, the day after my partner went into St George Private Hospital in Sydney someone set up an online Medibank Private log in for them, using their date of birth etc, and then put through a number of bogus claims for everyone in our family. Fortunately, Medibank Private realised there was something wrong quite quickly. However it took weeks and weeks to get new Medibank Private numbers sorted out and I think they never really carried over our existing membership rights to the new numbers. I tried to report to the police who were totally uninterested. I made a report anyway. Nobody wanted to find out how it had happened, they just wanted to paper it over. Moral of the story – set up your own online account for every possible activity and it is then less likely someone else will be able to steal that account…
After 25 years in Australia the wife recently decided to apply for Australian citizenship. . Despite her providing 25 years of tax returns, proof of having children born here, passport evidence and all manner of ID, the Immigration still wanted her Medicare details as final proof she was worthy of being accepted.
I wonder what the other medicare details sold on the dark net have been used for?
See Brandis has his wish for a backdoor already! I’m sure the government is working full time to create more back doors for the ‘good guys’.