The ABC can confirm e-script provider MediSecure is the health organisation at the centre of the large-scale ransomware data breach announced by the national cyber security coordinator on Thursday.
MediSecure’s website has been pulled, and the company has posted a statement saying it has identified a cyber security incident impacting “the personal and health information of individuals”.
A MediSecure spokesperson said it was too early to respond to detailed questions about the nature and extent of the incident but added that “a lot of investigation work is being conducted”.
The company is a prescription exchange service, which facilitates electronic prescribing and dispensing of prescriptions.
In a statement, the company said it has “taken immediate steps to mitigate any potential impact on our systems”, and believed the incident originated from a third-party vendor.
“MediSecure takes its legal and ethical obligations seriously and appreciates this information will be of concern,” it said.
“MediSecure is actively assisting the Australian Digital Health Agency and the national cyber security coordinator to manage the impacts of the incident.”
MediSecure was one of two companies awarded contracts by the federal government to provide PBS e-script services until late last year, when the tender was granted exclusively to another company, eRx.
In October last year, the ACCC granted authorisation for MediSecure to transfer all publicly- funded electronic prescriptions and data to eRx.
MediSecure said at the time it would remain in the market providing private prescriptions. It’s unclear what data has been compromised and over what time period.
Earlier, national cyber security coordinator Michelle McGuinness was unable to share what company had been affected.
“I am working with agencies across the Australian government, states and territories to coordinate a whole-of-government response to this incident,” Lieutenant-General McGuinness said in a statement on social media platform X.
“We are in the very preliminary stages of our response and there is limited detail to share at this stage, but I will continue to provide updates as we progress while working closely with the affected commercial organisation to address the impacts caused by the incident.”
The organisation is also working with the Australian Federal Police.
Cyber Security Minister Clare O’Neil says she was briefed on the breach, and the government had convened a national coordination mechanism.
“Updates will be provided in due course,” she said on social media platform X.
“Speculation at this stage risks undermining significant work underway to support the company’s response.”
Australian Medical Association president Steve Robson said the organisation is seeking urgent briefings on the incident.
“There needs to be a thorough and transparent investigation, backed by clear and consistent communication to the public and profession,” Professor Robson said.
“These are critical to maintaining community trust in the electronic systems that are now integral to the functioning of our health system.”
In October 2022, Medibank revealed hackers accessed the personal data of all customers across its Medibank, ahm and OSHC brands, affecting millions of Australians.
Posted , updated