A hacker on the dark web is reportedly selling access to individual records hijacked from Australia's healthcare system for as little as £17 ($22) each. The data, allegedly obtained via a vulnerability in government computer networks, was listed under title 'the Medicare machine'.
It is believed the underground vendor has sold at least 75 Medicare files since October 2016, according to an investigation by Guardian Australia ,which verified the hackers' claims by requesting a portion of its own journalist's information. It found the culprit had been active for months.
In Australia, Medicare is a universal healthcare system managed by the Department of Human Services. Citizens apply for Medicare cards that store personal information and lets them receive medical services, discounted prescriptions and free hospital visits.
Guardian Australia found that the hacker was claiming to be able to access the Medicare details of any Australian citizen for 0.0089 bitcoin each.
"Leave the first and last name, and DoB of any Australian citizen, and you will receive their Medicare patient details in full," the vendor wrote online.
In the case of the reporter, the hacker was able to provide a real Medicare card number and expiry date as proof. The marketplace in question is hosted on the dark web, an anonymous network often used to conduct illegal activities, including the sale of drugs and hacked databases.
The leak is not publicly listed for anyone to search. But once purchased, either individually or in bulk, the data could be useful to criminal gangs as part of fraud schemes. Typically, personal information of this nature leads to increased risk of email phishing attacks and blackmail attempts.
Patient data at risk?
According to News.au, an IT specialist called Paul Power said that if a hacker has access to a citizen's name, date of birth and Medicare card number then they could potentially also log into My Health Record, a centralised repository of patient data, before holding a victim to ransom.
It remains unknown what – if any – computer vulnerability the hacker has exploited to access the files. A spokesperson for the Department of Human Services said the government is now working with security services to investigate the sale of alleged Medicare card records.
She said: "Thorough investigations are conducted whenever claims such as this are made. The department takes every precaution to protect the sensitive information of Australians, and to safeguard the payments we make on behalf of the Australian government."
Alan Tudge, the human services minister responsible for matters of healthcare, attempted to play down the danger of the incident by telling media outlets that it would be "fear-mongering" to suggest that full citizen health records could be obtained with a Medicare card number alone.
He said: "The advice I have received from the chief information officer in my department is that there has not been a cybersecurity breach of our systems but rather it is more likely to have been a traditional criminal activity."
Political opponents, however, have predictably been quick to judge the response of the government, led since 2015 by prime minister Malcolm Turnbull. Two shadow ministers, Catherine King and Linda Burney, issued a joint statement slamming its reaction.
"The revelation that Australians' Medicare identities are available for purchase on the dark web is incomprehensible," the pair said. "But equally disturbing is the Turnbull government's incompetent response. The government's attempt to dodge questions on this simply isn't good enough."
Acting opposition leader Tanya Plibersek branded the event an "internet catastrophe". She said: "It is absolutely critical that the government explain today, immediately, how many records have been breached. When did the government find out that this security risk was occurring?"
But assistant treasurer Michael Sukkar stressed the government takes its data protection responsibilities seriously. He told Sky News: "We will do absolutely everything possible to protect that data. If that means more work and more upgrades to our system, then so be it."
But Sukkar added: "It's alarming to me if any of that data is finding its way into hands that it shouldn't be. Governments are going to have to be much better at protecting that data."