The Medicare Machine - patient details of "any Australian" for sale on darknet

An investigation by Guardian Australia has uncovered a serious privacy breach and privacy concerns for all Australian Medicare Card holders.

The investigation uncovered a darknet auction site illegally selling the Medicare patient details of any Australian for less than $30 from a darknet vendor “exploiting a vulnerability” in a government system dubbed “the Medicare machine”.

The Guardian Australia went further and purchased the Medicare details of a Guardian journalist, which where then supplied by the darknet vendor.

As Medicare Card details are not publicly available, the details prove to be valuable to organised crime groups who then produce fake physical cards and commit further fraud.

Minister for Human Services Alan Tudge has asked his department and the Australian Federal Police to investigate.

"Claims made in the Guardian newspaper that Medicare card numbers are able to be purchased on the dark web are being taken seriously by the Government and are under investigation," Mr Tudge said in a statement.

Assistant Minister to the Treasurer Michael Sukkar said it was an “extremely concerning” incident. “It’s very alarming to me if any of that data is finding its way into hands that it shouldn’t be,” Mr Sukkar told Sky News.

“This is going to be an ongoing issue as more and more of our information ultimately is collected and stored online. Governments are going to have to be much better at protecting that data.”

Doctors now are also questioning medical record confidentiality and fear 'dark web' revelations will stop patients using digital medical files.

The Australian Medical Association (AMA) says breach needs to be resolved so Australians do not opt out of My Health Record. 
    
What a data breach might mean for you

In addition to the reputational and financial risks, under the recently passed Notifiable Data Breaches scheme, that will come into effect in February 2018, your business can be directed to notify any individuals affected by a data breach that is likely to result in serious harm.

Your businesses should continue to take reasonable steps to ensure personal information is held securely and look to be equipped with a clear response plan in the event of a data breach.

For further coverage on the Guardian Australian investigation

For further news coverage