An eight-year-old system accessed by health professionals more than 40,000 times a day appears to be behind the vulnerability that led to the sale of people's Medicare card numbers for approximately $30 each.
The federal government has since responded by
launching an independent review of the system, which is known as Health
Professionals Online Services (HPOS).
The system – designed to be used by general practitioners, hospitals and
other health providers to ensure people without their Medicare card can
still receive emergency treatment – was introduced in 2009, and has not
been significantly altered during the eight years that followed.
The review will focus on improving the system's security to better
safeguard patient details. It will commence immediately under the
leadership of Professor Peter Shergold and will deliver a report on 30
Last week the Guardian Australia published an investigation that found
anyone's Medicare details could be purchased from a trader on the dark web
for roughly $30. In exchange for payment, a name and birthdate, the
trader could provide a Medicare card number, which could then be used in
the fraudulent purchase of goods, such as mobile phones, cars or property.
The HPOS database works in the same way, allowing a health provider to acquire a Medicare card number upon entering a name and date of birth.
At least 75 Medicare card numbers were sold using the so called "Medicare
machine", but the trader's posting suggests more details were compromised
using an earlier iteration.
The Department of Human Services emphasised that a Medicare card number
alone cannot provide access to any medical or clinical records.
An investigation into the sale of Medicare card details on the dark web
remains ongoing by the Australian Federal Police.