Australian Medicare records sold by request on the dark web at $22 each

The Australian government is leading an investigation after a vulnerability in government systems led to a dark web auction of Australian patients” Medicare details, revealed Guardian Australia. Before going public with the outcome of its investigative report, Guardian Australia contacted the Department of Human Services, Department of Health, Australian federal police and information commissioner.

They are “exploiting a vulnerability which has a much more solid foundation which means not only will it be a lot faster and easier for myself, but it will be here to stay. I hope, lol,” the seller wrote.

“Purchase this listing and leave the first and last name, and DOB of any Australian citizen, and you will receive their Medicare patient details in full.”

The records are not available to the general public, turning them into a real goldmine for criminals involved in ID fraud. Using the logo of Australian Department of Human Services, a “highly trusted vendor” is selling the card details of “any Australian” for 0.0089 bitcoin each, approximately US$22.

Since October 2016, 75 Medicare card details have been sold, but investigators believe prior sales may have been significantly higher. “The listing page suggests they may have also been selling a large number before October 2016 but were forced to change their method for accessing the data,” writes the Guardian.

“It’s very alarming to me if any of that data is finding its way into hands that it shouldn’t be,” said Assistant Treasurer Michael Sukkar. “This is going to be an ongoing issue as more and more of our information ultimately is collected and stored online. Governments are going to have to be much better at protecting that data.”

According to Human Services Minister Alan Tudge, “the only information claimed to be supplied by the site was the Medicare card number” which is not enough to get complete personal health records. As a result, the journalist who carried out the investigation still had to enter his name and date of birth. However, illegal access to the card numbers is “nevertheless of great concern.”