Over the last couple of days, a major privacy story has broken with a journalist from The Guardian buying their Medicare records from a source on the dark web. Today, Health Minister Alan Tudge has said the data, which can be bought for around $25 per record, is not part of a massive leak but more likely the accessing of data using stolen account credentials.
The initial investigation, conducted by Paul Farrell from The Guardian highlighted a significant vulnerability about how Medicare numbers were secured.
On its own, a Medicare number isn't all that useful. But when matched up with some other data it could be used to falsify an identity or, by an unscrupulous doctor, to order services and then receiving rebates.
Tudge appeared on Sky News today, saying access to Medicare information was by someone with access to the system and that the matter has been referred to the Australian Federal Police.
"The advice from our chief information officer is there hasn't been a cyber security attack on our systems as such and it is a traditional criminal activity," said Tudge.
This is unlikely to be a mass data leak as the data can only be accessed by providing the seller with some specific information rather than being the typical data dump we see when data is stolen.
Why data like this isn't protected by multi-factor authentication or some other means is a mystery to me. The theft of user credentials is one of the most powerful tools available to threat actors. And there's no telling what other access someone with these user credentials could have if they chose to move laterally through systems using their access.