The Australian Federal Police will investigate the sale of Medicare card information on the dark web following a referral from the Human Services Minister Alan Tudge.
A dark web vendor is selling Medicare card details for less than $30 online, the .
The website in question is a popular auction site used to buy and sell illegal goods, including drugs and fraud materials.
It is part of the so-called ‘dark web’, the unlisted section of the internet that is not indexed or discoverable through search engines.
It is accessed via the Tor browser, which makes users anonymous and uses the digital crypto-currency Bitcoin to further disguise buyers and sellers from law enforcement.
According to the Guardian, a staff journalist requested their own data and received their Medicare number after providing their name and date of birth.
Mr Tudge’s office said it had received advice the information provided by the seller was not enough to access a private health record.
“Any apparent unauthorised access to Medicare card numbers is nevertheless of great concern,” the statement from Mr Tudge’s office read.
The vendor has sold at least 75 sets of Medicare card details since October 2016, according to the Guardian.
The method used to acquire the details is not yet known, but the seller reportedly claims they are “exploiting a vulnerability” in the government’s systems.
Mr Tudge said he could not comment on cyber operations, but said dark web investigations “occur regularly”.
Assistant Treasurer Michael Sukkar said the government took "extraordinarily seriously" the data it collected on individuals.
"It's very alarming to me if any of that data is finding its way into hands that it shouldn't be," he told Sky News on Tuesday.
"This is going to be an ongoing issue as more and more of our information ultimately is collected and stored online. Governments are going to have to be much better at protecting that data."
Mr Sukkar said he understood concerns people held over the "extremely concerning" reports of the breach.
"All I can do is assure you that we will do absolutely everything possible to protect that data," he said.
"If that means more work and more upgrades to our system, then so be it."
'Could be used for malicious purposes'
Last year, the federal government announced plans to tighten laws around re-identifying government data that had been de-identified after a security breach of Medicare and Pharmaceutical Benefit Scheme data.
That breach was discovered by Vanessa Teague, a senior lecturer in the Department of Computing and Information Systems at the University of Melbourne.
Dr Teague said the question around the “serious” Medicare breach was what could be done with someone else’s details.
It could be used as leverage to find out more information about someone, she said.
“It’s a data that could be used for a number of malicious purposes the least of which is defrauding Medicare, for example, by going to the doctor or getting pharmaceutical prescriptions and pretending to be somebody else and getting reimbursed on that basis,” Dr Teague told SBS World News.
It was also important to uncover how the data was obtained, she added.
“We’re seeing probably the minimum that this person has.
“We know that they have Medicare card numbers and their expiry dates - we don’t really know how they got that information so we don’t know what other information that this person also has,” Dr Teague said.
“Your Medicare card number doesn’t say anything about you in itself but the question is whether it can then be used against you to extract further information about you.”
Federal Labor demanded to know how many records had been breached and if people had been notified of the breach.
“We have got the government that brought you the census debacle, that brought you the failed NAPLAN online efforts, that is bringing you a second-rate NBN presiding over another internet catastrophe with leaked Medicare records now available to the highest bidder,” deputy opposition leader Tanya Plibersek told reporters in Melbourne.
While it’s still unknown how the breach occurred, Medicare providers and practices find patient Medicare numbers and details through a system called Health Professional Online Services, from the Department of Human Services.
When a Medicare card number is unavailable, a patient’s surname, first name and date of birth can be used to search.
-with AAP