HACKERS are selling the Medicare card numbers of Australians on the ‘dark web’, which experts say could be used to steal your private health records.
HACKERS are selling the Medicare card numbers of Australians on the ‘dark web’, which could be used to steal private health records.
The Federal Government has confirmed it’s urgently investigating the security breach and has referred the matter to the Australian Federal Police.
A journalist from The Guardian revealed he was able to purchase his own Medicare card details from a vendor on the dark web for just $30, from a device called ‘the Medicare machine’.
Human Services Minister Alan Tudge said the concerning incident was being treated seriously, but the information being sold wasn’t sufficient to access any personal records.
That’s a claim disputed by IT experts, who have called for the government to abandon plans to automatically create a My Health Record for every Australian.
The availability of Medicare data on the dark web has heightened security concerns about the $1 billion My Health Record scheme.
IT specialist Paul Power says if you have someone’s data that’s is linked to their name, date of birth and Medicare number, hackers can access a person’s Individual Healthcare Identifier and use this to access their My Health Record.
The My Health Record will contain information that can reveal sensitive information such as mental illness, a sexually transmitted disease or an abortion and could be used to hold them to ransom.
Mr Power has been writing to Health Minister Greg Hunt to warn him the My Health Record was vulnerable to hackers.
He said while it was unfortunate Medicare information was for sale on the dark web it might make the government take his warnings seriously.
“The fact it has been exposed is a good thing because it raises the awareness of decision makers,” he said.
“Some people need to have it shoved in their faces and that has been done,” he said.
Mr Tudge insisted he had received assurances today that the information obtained by The Guardian journalist wasn’t sufficient to obtain other records.
“The only information claimed to be supplied by the site was the Medicare card number,” he said.
“The journalist was asked to provide his own name and date of birth in order to obtain the Medicare card number,” Mr Tudge said.
“Any apparent unauthorised access to Medicare card numbers is nevertheless of great concern.”
Mr Tudge said the department’s chief information officer had advised that the breach was more likely to be traditional criminal activity than a cyber security breach.
He also said “very small” amounts of card numbers had been accessed.
It’s understood the number is about 75 people’s details.
Mr Tudge did not confirm what kind of traditional criminal activity had been used to access the details as the matter was with the AFP.
The Minister dodged questions from reporters this afternoon on why the information breach was not identified sooner.
“When we are made aware of any such allegation or breach the AFP are informed immediately,” he said.
Mr Tudge confirmed the Department had become aware of the incident yesterday.
He also slammed Labor for “fearmongering”, saying health records could not be accessed with the Medicare card number alone.
Earlier, Acting Opposition leader Tanya Plibersek called on the government to answer “critical” questions about the security breach.
The acting Labor leader said cyber issues were now a “repeat nightmare” with the Turnbull government after the census “debacle”, failed efforts to launch the NAPLAN tests online and the “second-rate” NBN rollout.
“It is first of all for the government to answer on the specific Medicare records; how many have been released, how many have been sold, how have people whose records may be in the wrong hands — how they have they been notified and what action has been taken to protect the personal information of anybody who has been a victim of this,” Ms Plibersek said.
“And then the government really needs to investigate how this breach occurred and what can be done to prevent similar breaches in the future.
“This is a very, very serious privacy breach.”
News Corp revealed earlier this week that IT experts were concerned about the security of the My Health Record because the centralised data base could be accessed from more than 100,000 medical practices.
More than four million Aussies already have one of these records but next year the government will automatically create a digital health record for everyone unless they opt out of the system.
“The chances of 100 per cent securing a system with 100,000 access points against being hacked is close to zero,” Mr Power said. “The weakness of the whole system is only as strong as its weakest link.”
Mr Power says Australia should follow Germany and decentralise the storage of personal health information by attaching it to the Medicare card rather than storing the My Health Record in a centralised data base vulnerable to hacking.
The Consumer’s Health Form says it is very concerned about the sale of Medicare numbers on the dark web because the Medicare number is used as a key personal identifier for bank accounts and other purposes..
“It does make people less confident that data will be looked after on the My Health Record,” Jo Root the acting CEO of the Consumer’s Health Forum said.
“Our message would be that we need to find out how these numbers were sourced and fix that and see whether the roll out of the My Health Record needs to be looked at,” she said.
Giving every Australian a new Medicare number to protect their identity won’t solve the problem if the hackers can use the same gateway to access those numbers again, she said.
Assistant Minister to the Treasurer Michael Sukkar said the revelation was “extremely concerning”.
“It’s very alarming to me if any of that data is finding its way into hands that it shouldn’t be,” Mr Sukkar told Sky News.
“This is going to be an ongoing issue as more and more of our information ultimately is collected and stored online. Governments are going to have to be much better at protecting that data.”
The dark web is made up of websites hidden from search engines that can only be accessed using special software.
The dark web is used by many people for different things but it’s infamously used by criminals to hide illegal activity online.