Minister says Oz Medicare breach was crims, not hackers

The fallout from Australia's Medicare card number leak continued yesterday afternoon, with Minister for Human Services Alan Tudge trying unsuccessfully to hose down the flames.

In an afternoon press conference, Tudge seemed to suggest that “the Medicare machine”, who is using a marketplace on the Tor network to sell individuals' Medicare card numbers for $30, is someone abusing system logins rather than some kind of hacking incident.

In the press conference (we've transcribed it below), the minister said what was happening was “traditional criminal activity”.

That seems to suggest that “the Medicare machine” knows someone with a valid login to Medicare systems such as the Department of Human Services' Health Professional Online Services (HPOS), and that's how they're obtaining individuals' Medicare numbers.

That explanation hasn't quieted criticism of the government over the breach, most particularly since the government will soon make its e-health system, MyHealthRecord, opt-out rather than opt-in as it is now.

Former NSW deputy privacy commissioner and now privacy consultant Anna Johnston of Salinger Privacy noted that the HPOS undermines MyHealthRecord's privacy controls.

What the hell? This (HPOS service) undermines a key privacy control on MyHealthRecord. That undermines PIA conclusions re opt-out MyHR risks https://t.co/ORYplHbeeE

— Anna Johnston (@SalingerPrivacy) July 4, 2017

Johnston was responding to this, from consultant Justin Warrent:

Oh right. It's super easy to get someone's medicare number if you know their name and DOB: https://t.co/Q86B407YAg

— Justin Warren (@jpwarren) July 4, 2017

The minister's statement

Tudge: “I will just make some brief comments this afternoon in relation to the claims made in The Guardian newspaper article this morning that some Medicare card numbers were for sale on the Internet.

“Firstly, can I say that we take such claims very seriously. Indeed we already have an internal investigation under way and we have referred the matter to the Australian Federal Police for possible criminal investigation.

“The second point I would make is, what is being claimed is that Medicare card numbers alone have been obtained. This is a very important point, nobody's Health Records can be accessed with just a Medicare card number.

“Anybody who suggests otherwise is irresponsible and fear-mongering. That is exactly what the Labor Party has been doing today. Tanya Plibersek herself used to be a Human Services Minister. She knows exactly what the situation is. And that is no-one's Health Records can be obtained with just a Medicare card number.

“The third point I would make is that the report suggests the numbers involved are very small and there is no indication there has been a wide-scale breach.

“The final point I would make is that the advice I have received from the Chief Information Officer in my Department is that there has not been a cyber security breach of our systems, as such, but rather it is more likely to have been a traditional criminal activity.

“As I said, we have referred this matter to the Australian Federal Police and they will get to the bottom of all this.” ®