After recent reports of darknet vendors selling Medicare numbers on darknet marketplaces, the Department of Human Services (DHS) issued new Medicare numbers to as many as 165 people. Although the Australian government downplayed the existence of stolen Medicare numbers, the DHS backtracked their statements from day one. Including the number of compromised Medicare numbers: they had originally claimed that “about” 75 numbers had been accessed.
On July 4, Minister for Human Services, Alan Tudge, attempted to dilute the public’s knowledge of any imminent damage to the healthcare system. (That, or he was simply clueless as to the threat a Medicare database breach could cause—an opinion shared by many Australians. “The numbers are very small and we are talking about the acquisition of Medicare card numbers only,” the Minister for Human Services reassured the public. “Nobody’s health records can be obtained just with a Medicare card number.”
While frustratingly incorrect, I have been told that it would not have been unlikely for Tudge—or anyone in the Australian government—to issue critical infrastructure announcements without knowing even partial details; he may not be intentionally misleading the public. He did, however, explain that no healthcare security systems had been breached; he said the crime was akin to breaking into a doctor’s office and stealing a small set of medical records.
Unsurprisingly, the Australian Senate Finance and Public Administration References Committee released information on a probe into the exact method by which the stolen Medicare records appeared on the darknet. A vendor on the former Alphabay market known as “OzRort” had listed a product called the “Medicare Machine.” Purchase the listing, provide “the first and last name and DOB of any Australian citizen, and you will receive their Medicare patient details in full,” the listing explained. The vendor spoke of his “exploitable vulnerability” that Tudge denied had existed. An exploit may not have existed, but the Medicare numbers were no small, isolated incident. Guardian journalist Paul Farrell alerted the media of the vendor and bought his own Medicare number.
Deputy secretary Caroline Edwards told a Senate inquiry that, in fact, the vendor had sold more than double the DHS’s number of compromised Medicare numbers. “I don’t know where the 75 number comes from,” she said.
“We have moved to do what we call customer recovery in relation to all the records which could conceivably have been affected, and for everybody who might have conceivably been affected, their records have been carefully checked. We have no evidence there was any inappropriate Medicare claiming activity or other transaction on any of those, but as a matter of caution each person has been contacted and has been issued with a new Medicare number.
“Of all that activity, in 165 cases it’s potentially possible there might have been some access to the number through this incident but those people would have been told there’s a potential compromise of your record, there’s no unauthorised access, but in abundance of caution we’re issuing you a new number and here’s the number.”
In an effort to leave the Australian Federal Police investigation uncompromised, Edwards revealed little else. Although the presence of a true exploit, based on the Deputy Secretary’s words, seemed increasingly unlikely. She explained that for every compromised Medicare number, the investigators could find the details (login credentials, etc.,) of the most recent medical professional to access said person’s details. Not proof that an exploit does not exist in the outdated, reportedly vulnerable system, but a sign that authorities have an angle to work from, nonetheless.
And if “OzRort” simply accessed the HPOS database with a valid or authorised login—particularly one that belonged to the vendor—apprehension may be in their future.