A dark net trader recently breached the information security system of Medicare and stole Medicare records of Australian citizens, reported The Guardian Australia. The information was sold on the dark web for $30. As soon the report was published about the availability of data on dark web auction site, The Federal Police of Australia confirmed that the data breach took place at the Department of Human Services (DHS).
Without any doubt, one of the most sensitive forms of information that can affect insurance, family, and even prospects of getting a job or travel is the private health information. Users are often required to disclose their personal information at various platforms that have caused sensitive personal information being intercepted by digital thieves.
As It Happened
The information is available to anyone against a fee of 0.0089 bitcoins, equivalent to AU$30.50 under the name “Medicare Machine”. As the investigation unfolded, it was found that the breach was conducted by a dark net trader who is selling the patient details of Medicare illegally. The incident has raised serious concerns about vulnerabilities in the government systems. Information security of a health agency getting bugged is shocking as this is potentially the most sensitive data a hacker can use and do nasty things to people whose data was stolen. The alleged seller is using a logo that says Australian Department of Human Services to advertise Medicare Machine.
What Can The Hacker Do With The Medicare Records?
The available data can be used potentially to access to health records, execute a fallacious transaction for Medicare rebates or even using personal information of individual patients for impersonation. If done rightly, such information can even be used to provide 25 points of identification in a 100-point identity card. These cards have been used by drug organizations to make purchases such as lease, property or cars, the details of this card can be fraudulently used to gain monetary benefits.
Deep Dark Web
The dark net, also known as dark web or deep web is the hub of a number of shady and illegal operations such as online drugs and other illegal goods markets, hacked login credentials, fake passports, stolen credit card details and much more. Everything is auctioned and you can imagine what it means for people whose credentials or identities are being sold.
While the Australian government has assured that the data in its information systems are secured and the breach is being actively investigated, there are concerns among individuals and groups that as long as the Medicare data is being held in a centralized location, the possibility of online theft increases. In near future, My Health Record data will also be kept centrally like Medicare.
Earlier in 2014 and 2015, public departments of Australia have accidentally disclosed information of personal details of world leaders at G20 summit and details of 10,000 asylum seekers in another incident.
Recently in 2017, department of human services DHS had a failed attempt of automating its debt collection system and ended up sending erroneous debt collection notices to customers of Centrelink. These examples exhibit negligence on part of Australian government when it comes to protecting sensitive information. It is about time that the government of Australia and department of human services realize the criticality of such breaches and take measures to address the recurring issues of information security breach.
How To Tackle The Threat of Breach?
Medical IT expert Paul Power has suggested that Australian government need to take additional security measures against such breaches and monitor online activity more diligently.
Another way to go is to implement a new German Model where the master data containing personal information is stored in personalized cards, which can be backed up at physicians or hospitals computers, he further suggested. This incident is not first of its kind. The famous Anthem data breach in 2015 had detailed records of 80 million patients of largest health insurer of US that was stolen by hackers. This resulted in many practices being implemented to protect data from the further breach; multiple identification layers, single-use identity numbers and two-factor identity authentication to name few.
From the Chinese-origin malware called Fireball and Erebus to Petya ransomware (or as Kaspersky Lab calls it ‘Not Petya‘), there are a number of incidents that have taken place in the last few months. Governments all over the world need to buckle down and devise a fail-proof strategy to handle such situations (ok, I know there’s no such thing as fail-proof but you get the point).