Data from the dark web marketplace shows a vendor has sold the Medicare card numbers of 75 Australians since October last year.
The story was first reported by the Guardian Australia, whose reporter Paul Farrell was able to buy his own Medicare card number by supplying his full name and date of birth.
"What this person is selling is any Australian's Medicare card data - that's me, that's you, that's the prime minister of Australia even. Anyone's data could potentially be accessed by this individual selling this information online."
Human Services minister Alan Tudge says the government referred the matter to the federal police on Monday.
He says the government is taking the matter seriously, but sought to reassure Australians that their actual medical information is safe.
"The suggestions are that the numbers are very small and we are talking about the acquisition of Medicare card numbers only. And, as I said earlier, nobody's health records can be obtained just with a Medicare card number."
The listing on the marketplace is still up and running.
Vanessa Teague, a computer privacy expert at Melbourne University, says the breach does have serious implications.
"It's highly significant. It's a great quantity of data, and its data that could be used for a number of malicious purposes, the least of which is defrauding Medicare, for example, by going to the doctor or getting pharamaceutical prescriptions, pretending to be someone else."
The tool, called Medicare Machine, is listed for sale on a popular darkweb marketplace that SBS has decided not to name.
The "dark web" is a section of the internet that is not indexed, and cannot be found using normal search engines like Google.
It is usually accessed via the Tor Browser, which helps makes users anonymous and uses the internet-currency Bitcoin to further disguise buyers and sellers from law enforcement.
Deputy Labor leader Tanya Plibersek says the onus is on the government to explain how the breach occured.
"It is absolutely critical that the government explain today, immediately, how many records have been breached. When did the government find out that this security risk was occurring? What have they done to notify people whose records might have been sold?"
The government has been sparing with the details of its own investigation while the police work is underway.
But the minister, Alan Tudge, says the scam looks more like a conventional fraud crime than a large-scale cyberattack.
"The advice that I have received from our chief information officer is there hasn't been a cyber security attack on our systems as such and that it is a traditional criminal activity."
The minister says he does not know how many people have been contacted by his department to let them know their data had been sold.