Alan Tudge Centrelink scandal

The source for Medicare data available for sale on the so-called “dark web” is unlikely to be from a hack of Medicare’s databases, Human Services Minister Alan Tudge has claimed. But that doesn’t make it any less concerning.

Guardian Australia journalist Paul Farrell yesterday revealed he had been able to buy his own Medicare card number on an online sales site on the “dark web” — part of the internet only accessible via a special browser where illegal drugs, guns and other illicit goods are up for sale — for less than $30.

The seller claimed that anyone’s Medicare details were accessible through the service if you provided a first name, last name and a date of birth. The site reportedly claimed to have provided 75 Medicare card numbers since October last year.

The government, while essentially confirming the breach and referring it to the Australian Federal Police, sought to downplay the problem. Tudge said repeatedly in a press conference yesterday, and in an interview on ABC RN Breakfast this morning, that health records had not been accessed. That is not the biggest concern from the revelation, however.

Medicare cards are a form of government ID that can be used in applying for credit cards and other services, and people could create their own Medicare cards and use that for healthcare fraud.

Tudge also said in interviews over the past two days that to the “best of the government’s knowledge” the Medicare database had not been hacked. He referred to it as “traditional criminal activity” rather than a “cyber attack”.

What he means here — but can’t say due to the ongoing investigation — is that the attack is much more likely to be that of someone with access to systems to look up Medicare card numbers. Tens of thousands of healthcare providers from hospitals to GPs to pathologists have access to an online portal where they can look up a person’s Medicare details using the same details needed by the dark web seller, so it is quite possible that either one healthcare provider’s access has been compromised, or someone working for one of those healthcare providers is using these systems fraudulently. This is backed up by Farrell reporting it took several days for the seller to obtain his data (suggesting someone had to go look it up), and that the database isn’t for sale as a whole.

One of the lines of investigations the AFP and Human Services will likely be undertaking right now is checking who last accessed Paul Farrell’s Medicare details — assuming access logs exist. In 2014, the ANAO criticised the Department of Human Services for not having proper access controls for users who had access to its legacy Medicare Data Warehouse — which was then due to be decommissioned in 2014. If the department hasn’t heeded this advice, it will likely face more heat from not only the auditor, but the AFP.

The government drawing the line at what is considered a “cyber attack” and what is “traditional criminal activity” is also curious. Much was made last year of the government’s report on the “threat of the trusted insider“, but most of the talk from the politicians down on that was related to preventing a leak to the media from an Edward Snowden or a Chelsea Manning — in other words, an employee. In Manning’s case, she took files out on a CD, in a relatively manual fashion. Would that be considered a cyber attack or traditional criminal activity?

Crikey asked the minister’s office for a clarification on the definition of “traditional criminal activity” but received no response.