The Department of Human Services flagged the illegal sale of Medicare details on the dark web almost a fortnight before the illicit trade was exposed in a bombshell media report, The New Daily can exclusively reveal.
Internal emails, obtained under freedom of information laws, reveal that department officials discussed the security issue as early as June 22 – nearly two weeks before revelations that Medicare numbers were being sold online.
On July 4, The Guardian revealed that a dark web vendor was advertising the sale of any Australian’s Medicare number for the bitcoin equivalent of just $22 after exploiting a government system vulnerability.
In the wake of the revelations, Human Services Minister Alan Tudge said that he and his department had only learned of the illicit trade when contacted by a Guardian journalist on July 3.
However, high-priority correspondence within DHS shows that senior officials discussed the trade on the dark net, which is only accessible through a customised browser, nearly two weeks before it made the news.
On June 22, Rhonda Morris, national manager for serious non-compliance, raised the issue with Kate Buggy, national manager for internal fraud control and investigations, and Mark Withnell, general manager of business integrity, as well as several unnamed officials.
In a later email on July 3, Mr Withnell apparently connected The Guardian’s inquiries to the department’s earlier discussions on the issue, writing to colleagues: “This is the one I was mentioning last week.”
It is unclear exactly what DHS knew about the sale of Medicare details on the dark web prior to July’s media report.
Citing exemptions related to law enforcement and criminal investigations, the department redacted most of the content of the emails released to The New Daily.
It refused to release numerous other related emails entirely.
A DHS spokesman denied the department had knowledge of a specific breach in June and said its internal discussions had only related to general matters.
Mr Tudge reiterated that he had no prior knowledge of the breach.
“I was not aware of this case until July 3 when the journalist alerted me to them,” he told The New Daily.
“When I was alerted to this my department immediately did the following three things: Firstly they referred this potential criminal activity to the Australian Federal Police, secondly they commenced an internal inquiry into the use of HPOS, and thirdly the Health Minister and I announced an external review would be undertaken.”
In September, DHS told the Senate that as many as 165 people may have had their Medicare numbers sold to unknown parties, although there had been no unauthorised access of any Australian’s health records.
Last month, a seperate review commissioned by the department recommended beefing up the authentication procedures required to access the online database used by healthcare professionals.
Although the AFP is continuing to investigate the source of the breach, the government has said it was likely the result of “traditional criminal activity” rather than a cyber attack.
In February, DHS was embroiled in controversy after it released the personal information of a Centrelink recipient to a journalist in order to defuse claims she made in the media.