Over the last couple of days, a major privacy story has broken with a journalist from The Guardian buying their Medicare records from a source on the dark web. Today, Health Minister Alan Tudge has said the data, which can be bought for around $25 per record, is not part of a massive leak but more likely the accessing of data using stolen account credentials.
The initial investigation, conducted by Paul Farrell from The Guardian highlighted a significant vulnerability about how Medicare numbers were secured.
On its own, a Medicare number isn’t all that useful. But when matched up with some other data it could be used to falsify an identity or, by an unscrupulous doctor, to order services and then receiving rebates.
Tudge appeared on Sky News today, saying access to Medicare information was by someone with access to the system and that the matter has been referred to the Australian Federal Police.
“The advice from our chief information officer is there hasn’t been a cyber security attack on our systems as such and it is a traditional criminal activity,” said Tudge.
This is unlikely to be a mass data leak as the data can only be accessed by providing the seller with some specific information rather than being the typical data dump we see when data is stolen.
Why data like this isn’t protected by multi-factor authentication or some other means is a mystery to me. The theft of user credentials is one of the most powerful tools available to threat actors. And there’s no telling what other access someone with these user credentials could have if they chose to move laterally through systems using their access.
Comments
2 responses to “Medicare Number Leak: Why Protecting User Creds Matters”
That’s the thing I don’t understand… if its not a cyber security attack, then what is it exactly?
If its individual access within their own system, are they saying they cant audit log access? I am a bit alarmed they know its not an attack… but can’t identify who accessed Mr X’s medicare details at a set window of time.
Yep – it looks like either an employee or someone with remote access and log-in credentials. As they’re selling records one at a time, it seems they are simply logging in a doing a query rather than accessing a dump of all the data. And I agree that an audit log would solve the mystery.
The audit log won’t solve the mystery – the reality is thousands of these lookup transactions happen every day from all the medical practices around Australia to lookup or verify Medicare details via systems like HPOS (https://www.humanservices.gov.au/health-professionals/services/medicare/hpos) .
So unless you also know the details of the person(s) that are being looked up by the individual selling the medicare info ( i.e. you know exactly who they are requesting for every time) so that you can try and see which credentials (and typically at best this will let you identify which medical practice is asking for the details) you’ll never be able to differentiate the legitimate and illegitimate requests.