About 12.9 million Australians had their data stolen in the MediSecure hack earlier this year, the eScripts provider has revealed, placing it among the largest cyber breaches in Australian history.
MediSecure, which facilitates electronic prescriptions and dispensing, confirmed in May it was the victim of a ransomware attack, although the theft itself took place earlier, and continued until November 2023.
The company had not previously disclosed how many Australians were affected, and has not contacted people individually.
Medisecure was one of only two eScript providers in Australia until late last year, when competitor eRx took over the government contract to supply the entire market.
The company went into voluntary administration in June after the federal government declined to provide it with a financial bailout.
Medisecure’s statement, released late yesterday, explained that the cost has hampered its response to the attack.
“MediSecure is unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the data set,” it said.
It added that doing so would have come at a “substantial cost that MediSecure was not in a financial position to meet”.
“By the time this breach happened, MediSecure had lost its main source of revenue,” said Katherine Mansted, Director of Cyber Intelligence for security firm CyberCX.
“That, of course, has complicated the response to this incident,” she said.
“This is an entity that doesn’t necessarily have the incentive or the revenue profile to really ‘grip this incident up’, as perhaps we’ve seen with other major incidents in Australia in the past.”
In a statement released late Thursday afternoon, MediSecure gave details about the kinds of data stolen, including full names, phone numbers, dates of birth, home addresses, Medicare numbers, and Medicare card expiry dates.
The 6.5 terabytes of data also included some sensitive health information, such as which medications people were prescribed, the name of the drug, dosage, the reason for their prescription, and instructions for taking the medication.
Credit card details were not exposed in the breach.
There’s no indication the trove has been published in full, but the government and law enforcement, including the Australian Federal Police, are continuing to monitor for it.
A tiny sample of the data was published on a dark web forum following the hack, and the larger data set was listed as being for sale, for $50,000.
It’s not clear whether the data was sold, but it’s considered likely.
“Once the data genie is out of the bottle, it’s impossible to get that data back”, Ms Mansted said.
If the data set was in fact bought, it’s also possible the buyer was a security entity, and not a cyber criminal, according to analysts.
Nevertheless, Australians are being told to watch out for scams referencing the MediSecure data breach, and not to respond to unsolicited contact that mentions the incident.
National Cyber Security Coordinator Lieutenant General Michelle McGuinness released a statement on X.
“If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment or banking information, you should hang up and call back on a phone number you have sourced independently.”
In light of the Optus and Medibank breaches in 2022 and the breach of financial services company Latitude last year affecting 14 million people, authorities now believe most Australians have been exposed in some way, and some several times over.
Lieutenant General McGuinness warned Australians not go looking for the dataset online.
“I understand many Australians will be concerned about the scale of this breach,” she said.
“This activity only feeds the business model of cyber criminals and can be a criminal offence.”
She is also reassuring Australians that current eScript services are not affected.
“There is no impact to the current national prescription delivery service, and people should keep accessing their medications and filling their prescriptions,” said Lieutenant General McGuinness.
Loading…
Posted , updated