The Australian Senate Finance and Public Administration References Committee revealed an upcoming probe into the circumstances surrounding the stolen Medicare numbers that ended for sale on darknet markets. The probe will also examine software and protocol issues with Health Professional Online Services, issues with My Health Record, and the method in which healthcare professionals handle Medicare information.
The probe will take place under the name “Circumstances in which Australian personal Medicare information has been compromised and made available for sale illegally on the ‘dark web.’” This event closely follows a story from July where a Guardian journalist, Paul Farrell, investigated the existence of Medicare numbers on the Alphabay market. Farrell found a digital items vendor named “OzRort” that offered a unique product. In addition to the stolen credit card numbers and email addresses, OzRort sold Medicare numbers for a person of their choosing.
For the Guardian investigation, Farrell purchased one of the 22 dollar listings and followed the instructions provided by OzRort. “Leave the first and last name and DOB of any Australian citizen, and you will receive their Medicare patient details in full,” the listing instructed buyers. The journalist required a Medicare number that he could verify. His own. And the vendor’s “exploitable vulnerability” worked; the machine gave Farrell his own number, confirming any suspicions.
Given that the information needed by the vendor matched the information needed by the Health Professional Online Service (HPOS) system, many pointed their fingers towards the outdated healthcare system. Collectively, professionals in the healthcare field use HPOS nearly 50,000 times every day. The government had previously revealed that the system had not been updated in eight years, ZDNet reported.
The Australian government adamantly denied that flaws in the HPOS system existed. Minister for Human Services, Alan Tudge, even announced that the darknet vendor had likely obtained the credentials through traditional crime; he said the vendor had stolen the credentials through a method similar to breaking into a doctor’s office and stealing patient records. “It is more likely to have been a traditional criminal activity,” he said.
In fairness, Tudge acknowledged the validity of the issue and mentioned that the Australian Federal Police had started investigating the crime. “Claims made in the Guardian newspaper that Medicare card numbers are able to be purchased on the dark web, are being taken seriously by the government and are under investigation,” he said.
The Australian Senate Finance and Public Administration References Committee, through an examination into “any failures in security and data protection which allowed this breach to occur,” might discover the true cause. The discovery by the Committee will return results by October 16.