The so-called Medicare Machine is just one of several fraud services on offer on a dark web store run by the same user.
The vendor has also sold dozens of email logins, claiming they are linked to iiNet, Optus, Bigpond and TPG accounts, and has received dozens of positive feedback forms.
The seller has also sold 13 business credit cards, claiming they are linked to a company operating in Melbourne.
The Medicare scam was first reported by the Guardian Australia, which revealed one of its own journalists had tested the service by purchasing their own Medicare card number.
The tool allows anyone to provide the name and date-of-birth of an Australian citizen and receive that person’s Medicare number.
I was able to create an account on the dark web marketplace in question, which SBS World News has decided not to identify, and locate the vendor’s online store in a matter of minutes.A detailed feedback system makes it easy to see which products have been bought before, how many times, and what the buyers thought of the service they received.
The dark web vendor who sells Medicare numbers stocks a range of other fraud products Source: SBS / James Elton-Pym
One user who claims to have purchased the ‘Aussie Business Credit Cards’ praises the “great quality”, while another describes the vendor as “polite and trustworthy”.
Human Services minister Alan Tudge said the case had been referred to the Australian Federal Police. He said he could not comment on cyber operations, but said dark web investigations “occur regularly”.
But a search of the dark web marketplaces reveals several other vendors classified as Australian who are selling scans of Australian drivers’ licenses and Medicare card, PayPal accounts, email logins and bulk purchases of credit cards.
Not to mention the far larger market for illicit drugs.
Creating an account is quick and easy, and the Tor Network used to access the dark web provides a level of anonymity that makes the task difficult for law enforcement. The marketplace also insists on Bitcoin payment, which makes payments difficult to trace.
On top of that, individual shoppers can use their own encryption or a VPN to further disguise their activities.
The security concerns raised by the Medicare data breach are likely to become even more pressing in the near future, given the government announced a new opt-out online health record in the 2017 Budget.
Nearly five million people have already registered to receive a My Health Record when the system comes online in mid-2018.
Nigel Phair, an expert in internet safety and cybercrime at the University of Canberra, said it was important for the government to maintain public trust in the security of their health data.
“If we want to get more and more Australians to access electronic health records, we really need to give them a confidence and the trust in the system to do so,” he said.
"And that is severely lacking at the moment.”