Explainer: Why the medicare card breach is so scary.

Claims have surfaced that anyone’s Medicare details are available for purchase online. It’s scary stuff, given the potential implications including identity theft and access to medical records.

So what does it mean and how concerned should you be? We found out.

How it works.

The Guardian journalist Paul Farrell reported on Tuesday that the news site had found a seller on the “dark web” – a part of the internet that can only be accessed through specific software and authorisation – who was advertising the sale of Medicare card numbers.

Listen: What does a woman in her 20’s, 30’s and 40’s get targeted for?

Simply provide someone’s full name and date of birth and the sell will provide you with their Medicare number, the Guardian reports. The service can costs less than $30 and the vendor has sold at least 75 Australians’ Medicare card details since October 2016. Farrell tested it out with his own details, as has a journalist at SBS, but it’s unclear yet how the seller has access to these details and whether they could access every Australian’s card number.

Expert in internet safety and cybercrime at the University of Canberra, Nigel Phair, suggested to Mamamia that the seller was someone who had access to Medicare numbers through their work in an official capacity and that they are abusing this position. Minister for Human Services Alan Tudge backed this belief up on Tuesday when he described the crime as “traditional criminal activity”, rather than a cyber security breach.

Why it’s scary.

There are three main concerns identified so far if a person could access your Medicare card number.

Identity fraud. Criminals could create a fake card using real details to be used as a point of identification for buying or leasing goods, such as phones or cars, among other activities.  A Medicare card counts as 25 points towards the 100 points of ID.


To buy drugs. The buyer could use the victim’s number on a fake card to buy prescription medication that can be used to make drugs.

Accessing medical data. This is an area of particular concern given that Australia will be moving to an opt-out policy for online medical records. In 2018, you’ll have to say “no” if you don’t want your medical records online.

However, Minister for Human Services Alan Tudge said the online seller does not grant you access to the person’s medical details, just their number. AMA President Dr Michael Gannon said he was reassured that people’s medical records were safe.

“I’ve sought and been given reassurances this morning… that there is no risk to people who have a MyHealth record. That’s been of great reassurance to me,” Dr Gannon told Nine News’ Tim McMillan this morning.

What’s being done about it.

On Tuesday, Minister for Human Services Alan Tudge said The Guardian‘s claims were been “taken seriously by the government and are under investigation”, with the matter referred to the Australian Federal Police.

“I cannot comment on cyber operations, however, I confirm that investigations into activities on the dark web occur continually,” Tudge said.

Your Medicare number could allow someone to create a fake card.(Image via iStock.)

"The security of personal data is an extremely serious matter. Thorough investigations are conducted whenever claims such as this are made."

"The Department of Human Services receives ongoing advice and assurance regarding its cyber security capabilities from the Australian Signals Directorate, the nation's top cyber security agency."

What can you do?

Well, not much, according to internet safety expert Nigel Phair. He told Mamamia that due to the nature of the believed crime - that it's one person abusing their position to access Medicare details in real time - doing things like changing your Medicare number or cutting your card won't prevent you from being a victim of the crime.

Phair said we should be "alert not alarmed". He advised Aussies keep abreast of their affairs, including checking their back accounts.

"It's important to understand that your identity has value. When you're talking to people, entering data into websites... people are interested in your identifying information."

Phair said the responsibility falls on the Federal Government to find this vendor and ensure Medicare and other personal details entrusted to them are safe in the future.