Half of the Australian population has had their information stolen in one of the nation’s largest data breaches.
On July 18, electronic prescription service MediSecure announced that it had ceased investigation of a cyber attack into one of its database servers in early 2024.
According to the company’s findings, hackers stole personal and sensitive information, including contact details, Medicare card numbers, and health information, of around 12.9 million Australians who used the MediSecure prescription delivery service between March 2019 and November 2023.
The hackers also uploaded an unknown amount of information onto the dark web.
While MediSecure suffered a severe data breach, the company said Australia’s digital health network was not affected as MediSecure did not participate in the system.
“At the time of the incident, MediSecure did not have any connections to the prescribing and dispensing of medications,” the company said in a statement.
“Australians can continue to access medicines safely, and healthcare providers can still prescribe and dispense as usual through the national prescription delivery service, eRx.”
The Home Affairs Department also assured the public that eRx was unaffected by the cyber attack.
“This includes prescriptions (paper and electronic) that may have been issued up until November 2023.”
MediSecure was one of two electronic prescription delivery services in Australia until late 2023.
However, in May 2023, the federal government awarded the service exclusively to eRx Script Exchange.
How the Data Breach Happened
MediSecure said it became aware of the cyber attack on April 13 when the company discovered that a database server had been encrypted by suspected ransomware.The company then took action to contain the affected database server and conducted a forensic investigation to identify the cause of the unauthorised access and the impacts.
Following the investigation, MediSecure found that hackers were likely to exfiltrate 6.5 terabytes of data stored on the server.
However, the company could not explicitly ascertain what information was accessed as the server was encrypted.
MediSecure then notified the incident to relevant authorities, including the Office of the Australian Information Commissioner, the Home Affairs Department, the Health and Aged Care Department, and the AFP.
On May 17, the electronic prescription service restored a complete backup of the affected server and started investigating the impacted information.
Authorities’ Advice to Australians
National Cyber Security Coordinator Lieutenant General Michelle McGuinness has advised Australians not to go to the dark web to look for or access stolen information.At the same time, the lieutenant general told the public to be alert to scams, regardless of whether they were affected by the data breach.
“Be on the lookout for scams referencing the MediSecure data breach, and do not respond to unsolicited contact that references the data breach experienced by MediSecure,” she said.
“If contacted by someone claiming to be a medical or other service provider, including a financial service provider, seeking personal, payment, or banking information, you should hang up and call back at a phone number you have sourced independently.”
Ms. McGuinness also shared some tips on enhancing Australian online security, including setting up multi-factor authentication, creating strong and unique passphrases, and installing software updates regularly.
MediSecure’s cyber attack comes as Australian corporations and government organisations have been subject to a series of serious data breaches in the past few years, causing millions of people to suffer from information theft.
