DHS reissues 165 Medicare numbers after dark web scare

The Department of Human Services issued new Medicare numbers to 165 people after learning some had been sold on the dark web, twice the figure previously thought to be impacted.

Deputy secretary Caroline Edwards told a Senate inquiry into the dark web scandal that the department had contacted 165 individuals and reset their numbers “in an abundance of caution”.

The action came in response to revelations in July that Medicare numbers were being sold online via the dark web for $29 per record.

It was originally reported that about 75 Medicare numbers had been accessed via the dark web-based service. However, Edwards today said she could not reconcile that number with DHS’ own figures.

“I don’t know where the 75 number comes from,” she said.

“We have moved to do what we call customer recovery in relation to all the records which could conceivably have been affected, and for everybody who might have conceivably been affected, their records have been carefully checked.

“We have no evidence there was any inappropriate Medicare claiming activity or other transaction on any of those, but as a matter of caution each person has been contacted and has been issued with a new Medicare number.”

Edwards said that process had meant contacting and reissuing Medicare numbers to “about 165 people”.

“But I’d hasten to add that’s not necessarily any relation to the matters that are before the Australian Federal Police,” she said.

“That’s a function of us looking as widely as necessary to check who might possibly have been affected.”

Edwards said Medicare numbers “frequently” were reissued for a variety of reasons.

“Of all that activity, in 165 cases it’s potentially possible there might have been some access to the number through this incident but those people would have been told there’s a potential compromise of your record, there’s no unauthorised access, but in abundance of caution we’re issuing you a new number and here’s the number,” she said.

It is thought that the dark web seller had access to a legitimate log-in for DHS’ HPOS Medicare verification service for healthcare providers - although the exact details are being held back pending the results of an Australian Federal Police investigation.

Edwards said today there were “163,000-odd potential ways into HPOS” - that is, registered accounts - though she noted “some people might have more than one route in”, such as through multiple logon credentials.

She indicated that DHS had logs that meant it could determine the “access point” that the dark web seller was using, though this was unlikely to identify the individual allegedly responsible.

“If [someone] was to look up a particular person, [or make] an inquiry about access to their Medicare number, we would know through which access point through which that inquiry had come,” Edwards said.