Sale of Medicare details on dark web linked to eight-year-old system

An independent review has launched to increase security.

An eight-year-old system accessed by health professionals more than 40,000 times a day appears to be behind the vulnerability that led to the sale of people's Medicare card numbers for approximately $30 each.

The federal government has since responded by launching an independent review of the system, which is known as Health Professionals Online Services (HPOS).

The system – designed to be used by general practitioners, hospitals and other health providers to ensure people without their Medicare card can still receive emergency treatment – was introduced in 2009, and has not been significantly altered during the eight years that followed.

Stay protected on the web and brush up on the latest scams with our online safety guide.

The review will focus on improving the system's security to better safeguard patient details. It will commence immediately under the leadership of Professor Peter Shergold and will deliver a report on 30 September 2017.

Last week the Guardian Australia published an investigation that found anyone's Medicare details could be purchased from a trader on the dark web for roughly $30. In exchange for payment, a name and birthdate, the trader could provide a Medicare card number, which could then be used in the fraudulent purchase of goods, such as mobile phones, cars or property.

The HPOS database works in the same way, allowing a health provider to acquire a Medicare card number upon entering a name and date of birth. 

At least 75 Medicare card numbers were sold using the so called "Medicare machine", but the trader's posting suggests more details were compromised using an earlier iteration.

The Department of Human Services emphasised that a Medicare card number alone cannot provide access to any medical or clinical records.

An investigation into the sale of Medicare card details on the dark web remains ongoing by the Australian Federal Police.