Australians’ Medicare details are still being illegally offered for sale on the darknet, almost two years after Guardian Australia revealed the serious privacy breach.
Screenshots of the Empire Market, provided to Guardian Australia, show the vendor Medicare Machine has rebranded as Medicare Madness, offering Medicare details for $US21.
Other vendors charge up to $US340 by offering fake Medicare cards alongside other fake forms of identification – such as a New South Wales licence.
The Medicare Madness listing suggests the Medicare details “of any living Australian citizen” have been available since September 2018.
Guardian Australia first reported patient details were on sale in July 2017, verifying the listing by requesting the data of a Guardian staff member and warning that Medicare card numbers could be used for identity theft and fraud.
The revelation prompted a review lead by former secretary of the Department of Prime Minister and Cabinet Peter Shergold.
The report did not identify the source of the Medicare data leak but suggested that people could use publicly available information about healthcare providers – including their provider number and practice location – to pass security checks and obtain a Medicare card number through the Department of Human Services provider hotline.
The review panel warned the “current security check for release of Medicare card information provides a much lower level of confidence than the security requirements” for Health Professional Online Services, the portal that allows providers to make rebate claims.
An IT industry source, who refused to be named, said the re-emergence of the data breach brings into question government assurances around the privacy of medical data “when those responsible cannot even manage the security of Medicare cards”.
The source said there is a “concerted effort at the moment by law enforcement to curtail darknet market activity”.
“In reality the darknet markets, while disrupted momentarily when their sites are brought down, easily relocate and continue business.”
Darknet markets can simply private message existing clients with a new link to resume business elsewhere.
The listing appears to show none have been sold since September, although it is unclear if this is an accurate summary of sales or generated by the vendor.
The Medicare Madness listing warns potential buyers that the listing is available to “verified customers only” who have purchased goods worth at least $US200 before.
Labor’s health spokeswoman, Catherine King, said the Liberals “told us they’d dealt with this breach”.
“But now we once again have criminals selling Medicare information online,” she said, questioning why the government had “failed to fix this” after two years. “It’s yet another reminder of their shocking record on privacy and cyber security … Australians simply cannot trust them to get this right.”
The review panel report noted that allowing health professionals access to their patients’ Medicare card numbers is necessary to “ensure healthcare remains accessible even for individuals who may not be able to present their Medicare card”.
The report claimed there was “no risk to patients’ health records as a result of the reported sale” but warned it “might reduce public confidence in the security of government information holdings, such as the My Health Record system”.
It recommended Medicare cards be retained as a form of secondary evidence for identity purposes but telephone services to access Medicare cards should be phased out in favour of online portal requests with a higher level of security.
The Department of Human Services said there is “no current evidence of a data breach” but refused to give further detail, citing a referral to the Australian Federal Police in 2017.
“Someone claiming to sell fraudulent Medicare cards or details does not mean our systems or personal data have been compromised.”
The Australian Privacy Foundation health committee chairman, Bernard Robertson-Dunn, told Guardian Australia that because Medicare cards are used as identification “you might be able to use a Medicare number plus other identification in some sort of fraud”.
But defrauding the government to access health services is less likely because “unlike financial fraud, you have to turn up” to access health services.
“It’s a catch-22 – if you make it difficult to get health services by increasing the level of security around it, you’re going to stop people getting services.”
Robertson-Dunn said that MyGov accounts require two-factor authentication, such as an SMS message in addition to a password, and My Health Records require MyGov accounts, so those services are more secure.
He said it would be “very difficult” for the government to eliminate breaches of Medicare data and it would be “wasting its time” unless Medicare cards are issued with security chips, like the human services access card proposed in 2007.