Half of Australia’s Population Exposed After Major Data Hack

The government has assured the public that medical prescriptions continue to work as normal.
Half of Australia’s Population Exposed After Major Data Hack
An engineering student takes part in a hacking challenge near Paris on March 16, 2013. Thomas Samson/AFP via Getty Images
Alfred Bui
Updated:
0:00

Half of the Australian population has had their information stolen in one of the nation’s largest data breaches.

On July 18, electronic prescription service MediSecure announced that it had ceased investigation of a cyber attack into one of its database servers in early 2024.

According to the company’s findings, hackers stole personal and sensitive information, including contact details, Medicare card numbers, and health information, of around 12.9 million Australians who used the MediSecure prescription delivery service between March 2019 and November 2023.

The complete list of what type of information had been stolen can be found on MediSecure’s website.

The hackers also uploaded an unknown amount of information onto the dark web.

While MediSecure suffered a severe data breach, the company said Australia’s digital health network was not affected as MediSecure did not participate in the system.

“At the time of the incident, MediSecure did not have any connections to the prescribing and dispensing of medications,” the company said in a statement.

“Australians can continue to access medicines safely, and healthcare providers can still prescribe and dispense as usual through the national prescription delivery service, eRx.”

The Home Affairs Department also assured the public that eRx was unaffected by the cyber attack.

“Prescriptions continue to work as normal. People should keep accessing their medications and filling their prescriptions,” it said.

“This i​ncludes prescriptions (paper and electronic) that may have been issued up until November 2023.”

MediSecure was one of two electronic prescription delivery services in Australia until late 2023.

However, in May 2023, the federal government awarded the service exclusively to eRx Script Exchange.

The Australian Federal Police (AFP) is currently investigating the incident, and the federal government has said that it is not aware of the publication of the entire stolen data set.

How the Data Breach Happened

MediSecure said it became aware of the cyber attack on April 13 when the company discovered that a database server had been encrypted by suspected ransomware.

The company then took action to contain the affected database server and conducted a forensic investigation to identify the cause of the unauthorised access and the impacts.

Following the investigation, MediSecure found that hackers were likely to exfiltrate 6.5 terabytes of data stored on the server.

However, the company could not explicitly ascertain what information was accessed as the server was encrypted.

MediSecure then notified the incident to relevant authorities, including the Office of the Australian Information Commissioner, the Home Affairs Department, the Health and Aged Care Department, and the AFP.

On May 17, the electronic prescription service restored a complete backup of the affected server and started investigating the impacted information.

Apart from disrupting its operation, the cyber attack also inflicted a heavy financial burden on MediSecure, causing the company to enter voluntary administration on June 3.

Authorities’ Advice to Australians

National Cyber Security Coordinator Lieutenant General Michelle McGuinness has advised Australians not to go to the dark web to look for or access stolen information.
“This activity only feeds the business model of cyber criminals and can be a criminal offence,” she said on social media.

At the same time, the lieutenant general told the public to be alert to scams, regardless of whether they were affected by the data breach.

“Be on the lookout for scams referencing the MediSecure data breach, and do not respond to unsolicited contact that references the data breach experienced by MediSecure,” she said.

“If contacted by someone claiming to be a medical or other service provider, including a financial service provider, seeking personal, payment, or banking information, you should hang up and call back at a phone number you have sourced independently.”

Ms. McGuinness also shared some tips on enhancing Australian online security, including setting up multi-factor authentication, creating strong and unique passphrases, and installing software updates regularly.

MediSecure’s cyber attack comes as Australian corporations and government organisations have been subject to a series of serious data breaches in the past few years, causing millions of people to suffer from information theft.

Alfred Bui
Alfred Bui
Author
Alfred Bui is an Australian reporter based in Melbourne and focuses on local and business news. He is a former small business owner and has two master’s degrees in business and business law. Contact him at [email protected].