Australia Digs Into Medicare Card Breach MysteryGovernment Raises Eyebrows by Claiming Leak Isn't a Breach
The fraudster who is selling Australian Medicare card details has clocked one more sale over the past day as the government and federal police try to figure out how its systems were illegally accessed.
See Also: The Global State of Online Digital Trust
On Tuesday, the Guardian reported a vendor on an underground market was offering the "Medicare Machine," a service for looking up any Australian citizen's Medicare number. One lookup costs about AU $29 (US $22), payable in several virtual currencies.
Medicare card numbers are used for reimbursement claims for doctor visits and prescriptions under the country's public health system. The cards are also frequently requested as a secondary form of identification for other services, such as passport applications, rental tenancies and voter registration.
Minister for Human Services Alan Tudge has described the data loss as "very small" and that the government was taking the claim "very seriously." He denied there was a breach, saying "rather it is more likely to have been a traditional criminal activity," a statement that raised eyebrows.
No Risk to Health Records
Tudge tamped down worries that a leaked Medicare number could be used to access online health records. "Nobody's health records can be accessed with just a Medicare number," Tudge says. "Anyone who suggests otherwise is irresponsible and fear-mongering."
The Australian government has been building an online service called My Health Record, which contains detailed information on allergies, prescriptions, pathology reports and diagnostic images. The idea is that healthcare providers can quickly query a patient's record, improving care.
Tudge told the ABC RN Breakfast radio program on Wednesday that victims had been contacted. He didn't answer a question about how the government knows whose numbers were compromised, citing an ongoing investigation.
The theft of the card numbers poses risks for identity theft and fraud. Asking for Medicare cards as a secondary form of ID is worrying, says Vanessa Teague, a senior lecturer in the Department of Computing and Information Systems at the University of Melbourne.
In Western Australia, for example, Medicare cards can be used as a form of ID to register for internet-based voting along with easily obtainable information such as name, birth date and address, she says.
"Unfortunately the use of Medicare card numbers as partial proof of ID is widespread," Teague says. "It was never a good idea. It needs to stop now."
Product as Advertised
The seller, going by the nickname OzRort, claims to be able to deliver a Medicare number, an Individual Reference Numbe, or IRN, and expiry date of a card for any Australia citizen. Buyers must just supply the person's full name and date of birth.
OzRort appears to have first posted the advertisement last October on the AlphaBay Market, an online bazaar for weapons, drugs, malware and bogus ID documents.
By all accounts, it appears the service accurately delivers what's advertised. The Guardian received an accurate Medicare number for one of its staff members. Like other underground, eBay-like markets, buyers can write reviews of their experience with a vendor. OzRort gets top marks.
As of Tuesday, OzRort had tallied 75 sales; by Wednesday morning, it was 76. One buyer wrote on Sunday: "I bought this as a test. It definitely works. Nice one mate."
There are some ideas about how OzRort is accessing Medicare numbers. One problem for healthcare providers are those who've forgotten their Medicare card, which a provider needs for government reimbursement.
The Department of Human Services runs an online portal called Health Professional Online Services, or HPOS. If a provider needs to find a Medicare number, it can login to the portal and find one by supplying a person's name and date of birth.
But to get access to the portal, healthcare providers must have a Public Key Infrastructure digital certificate. Providers have to apply for one, which involves filling out an application and providing two forms of ID and documentation from the Registrar of the Australian Business Register.
Providers are then sent a CD with the PKI certificate. Mailed separately is a personal identification code, which is needed to activate the certificate.
OzRort's advertisement indicates the HPOS portal may be the source for the card numbers. It reads that a buyer should supply the same kind of information - a full name and birth date - that's required by the HPOS portal to retrieve a Medicare number.
It's possible that OzRort has compromised a healthcare organization and has access to computer with the digital certificate. Or OzRort may have fraudulently obtained the certificate and then compromised a provider's credentials.
OzRort writes that retrieving Medicare numbers relies on "exploiting a vulnerability which has a much more solid foundation, which means not only will it be a lot faster and easier for myself, but it will be here to stay."
Isolating the source of OzRort's information could be a mighty task. There are perhaps thousands of health care providers in Australia that may have access to HPOS.
There's little chance of getting the advertisement removed from the AlphaBay Market. Like many underground markets, it is a "hidden" website that uses the Tor anonymity system to mask its true IP address.
The website is only accessible using the Tor browser, a customized version of Firefox. Setting up websites in this way makes it very difficult for law enforcement to figure out who is behind it. Thus, the sales continue.