The anonymous vendor selling Medicare card data on the dark web likely obtained the details through a compromise of legitimate access credentials, Human Services minister Alan Tudge has indicated.
The Guardian yesterday revealed that an unknown individual was offering any Australian's Medicare card data for around A$29 per file, once the target's full name and date of birth are provided.
The vendor claims to have exploited a "vulnerability [with a] solid foundation" to access the details.
Tudge yesterday said there had been no "cyber attack" on the government's IT systems; rather the card data breach was more likely perpetrated through "traditional criminal activity".
Fronting media again this morning, Tudge indicated legitimate access had likely been compromised.
"It wasn't a hacking of our systems as such which enabled someone to access those Medicare card numbers," he told Sky News.
"There are obviously other people that have access to Medicare numbers, but I don't want to speculate or say anything further that might jeopardise the Australian Federal Police investigation.
"In the past we've had people literally break into doctors' clinics to seize Medicare card numbers."
He declined to provide a list of those who have access to the Medicare records database.
However, Tudge did say that the policies upon which people can access Medicare card numbers "properly and legitimately" are the same policies "that have been in place for many years".
The minister said he had given a confidential briefing to the president of the Australian Medical Association, Michael Gannon, on the matter.
"We are doing an internal investigation where we review some of those policies, but I don't want to compromise the federal police investigation by revealing too much," Tudge told ABC radio.
The information the dark web seller asks for in return for a Medicare number - full name and date of birth - is the same data required for a search on Human Services' HPOS Medicare verification service for healthcare providers.
"When a Medicare card number is unavailable, you can enter personal information such as surname, first name and date of birth for the patient," its website states. These are the only mandatory search fields.
It will return a Medicare card number, individual reference number (IRN), and first name - the same data the vendor promises to supply after payment.
So far the vendor claims to have sold Medicare card records for 75 people. A Medicare card is valuable to criminals for use in identity fraud as well as defrauding the government of Medicare rebates.
The government was alerted to the problem by The Guardian yesterday, and has referred it to the AFP for investigation.