The Australian Federal Police is investigating reports Australians' personal Medicare details are being accessed and sold on the dark web, an apparent breach that has been labelled an "internet catastrophe".
According to a Guardian Australia report, an online vendor can pull up the full Medicare card details of any Australian on request — and is selling them for around $30 each — indicating a security hole somewhere in the health system.
More National News Videos
Medicare details sold on dark web
A report shows that the full Medicare card details of any Australian are being sold on the dark web for around $30 each.
Human Services Minister Alan Tudge said the government was taking the matter seriously.
The sales are reportedly listed on an undisclosed dark web marketplace, in which the vendor claims to be "exploiting a vulnerability" in order to run software that pulls the data. The vendor calls it "the Medicare Machine".
"Leave the first and last name, and DOB of any Australian citizen, and you will receive their Medicare patient details in full", the listing says, adding that the nature of the security hole being utilised means the vendor will be "here to stay".
In a statement, Mr Tudge said any authorised access to Medicare card numbers was "of great concern" and his department was also conducting its own investigation.
"The security of personal data is an extremely serious matter. Thorough investigations are conducted whenever claims such as this are made", he said.
"The government has an ongoing commitment to prioritise cyber security and is constantly working to further improve our capability".
Acting Opposition Leader Tanya Plibersek said the government has serious and urgent questions to answer on the "internet catastrophe".
"It is absolutely critical that the government explain today, immediately, how many records have been breached," she said.
"When did the government find out that this security risk was occurring? What have they done to notify people whose records might have been sold?"
Ms Plibersek accused the government of presiding over a "repeat nightmare", pointing to the Census debacle, glitches with the online NAPLAN testing system, and the "second-rate" NBN.
In order to test the veracity of the claims, Guardian Australia requested the Medicare details of a member of its staff, and confirmed the received details – including the Medicare card number and and personal IRN – were accurate.
Legitimate Medicare card details could be used to create fake cards, which would be handy for criminals in identity theft. The cards could be used in part, for example, to open bank accounts, apply for a passport, get a credit card or start an illegal business.
The information would not be enough, however, to access personal health record information.
The vendor appears to have made at least 75 sales, each one netting him 0.0089 bitcoin, or $29.75 by the current exchange rate.