A cyberattack on MediSecure, a former Australian e-prescription delivery service, has resulted in a colossal data breach impacting nearly 13 million individuals. This staggering number makes the MediSecure data breach one of the largest healthcare data breaches in Australian history.
MediSecure disclosed on Thursday that a malicious actor breached its database and potentially exfiltrated 6.5 terabytes of data that contained 12.9 million records of Australians.
The findings are a part of the investigation conducted along with cyber and forensic experts from McGrathNicol Advisory in collaboration with the National Cyber Security Coordinator. The main motive of taking outside help was to confirm the extent of the data breach and all individuals impacted, at the earliest.
According to the findings, the compromised data includes a treasure trove of highly sensitive personal and health information.
- full name;
- title;
- date of birth;
- gender;
- email address;
- address;
- phone number;
- individual healthcare identifier (IHI);
- Medicare card number, including individual identifier, and expiry;
- Pensioner Concession card number and expiry;
- Commonwealth Seniors card number and expiry;
- Healthcare Concession card number and expiry;
- Department of Veterans’ Affairs (DVA) (Gold, White, Orange) card number and expiry;
- prescription medication, including name of drug, strength, quantity and repeats; and
- reason for prescription and instructions.
While MediSecure emphasizes that Medicare and other government-issued card numbers cannot be used solely for identity theft, the breach significantly increases the risk of phishing attacks and other online scams targeting the affected individuals.
Challenges in Identifying Victims and Questions of Financial Preparedness
While acknowledging the severity of the breach, MediSecure highlighted the difficulty in pinpointing every impacted individual. The company cites the sheer volume (6.5 terabytes) and complexity of the exposed data as hindrances. This lack of granular identification raises concerns about the timeliness of notifying victims and empowering them to take proactive security measures.
MediSecure further explains that financial limitations prevented them from conducting a more in-depth analysis to identify specific victims, which questions the company’s preparedness for such large-scale cyber incidents and their commitment to user data security.
“The impacted server analyzed by McGrathNicol Advisory consisted of an extremely large volume of semi-structured and unstructured data stored across a variety of data sets. This made it not practicable to specifically identify all individuals and their information impacted by the Incident without incurring substantial cost that MediSecure was not in a financial position to meet.” – MediSecure
The company also reveals that their request for financial assistance from the Commonwealth Government to aid in the response efforts was denied.
Addressing recent reports suggesting they requested government funding to cover operational costs unrelated to the cyberattack, the company clarified that the funding request was “limited and confined” to the specific costs associated with the cyberattack incident response.
This clarification comes amidst concerns regarding the financial viability of MediSecure after it filed for liquidation in June 2024.
Despite the funding denial, MediSecure maintains it has been working diligently with various government agencies, including the National Cyber Security Coordinator (ACSC), the Australian Federal Police (AFP), and the Australian Signals Directorate (ASD).
Dark Web Data Sale Claim Investigation Ongoing
According to a MediSecure’s statement, the company is also currently reviewing a data set recovered from a dark web forum to determine which individuals were affected by the breach. This process, however, appears to be taking longer than anticipated. The company is collaborating with the Commonwealth Government to notify all impacted individuals as soon as possible.
A week after the MediSecure data breach incident became public, a Russian hacking forum member claimed to have 6.5TB of data including personal information of thousands of Australians. The post on the forum read, “For sale: Database of an Australian medical prescriptions company MedSecure [sic].” The forum user detailed the leaked information available, which likely matches the data that MediSecure now confirmed as compromised.
The Australian National Cyber Security Coordinator, however, warned people against hunting for any such leaked data sets. No one should go looking for or access stolen sensitive or personal information from the dark web. This activity only feeds the business model of cyber criminals and can be a criminal offence,” the Australian NCSC said.
MediSecure No Longer Part of National System, But Risk of Phishing and Scams Remains High
Both MediSecure and the Home Affairs Department said it’s crucial to clarify that MediSecure is no longer involved in Australia’s national prescription delivery service. This e-prescription service transitioned to eRx Script Exchange (eRx) in late 2023, and this new system remains unaffected by the current breach, the Home Affairs ministry said.
“The affected data relates to prescriptions distributed by MediSecure’s systems up until November 2023.” – Australian Department of Home Affairs
However, while the specific individuals impacted remain unidentified, that exposed data significantly increases the risk of cyberattacks targeting these individuals. Phishing scams, identity theft attempts, and other online fraud schemes are likely to exploit the stolen information, the home department warned.
Recommendations for Impacted Australians and Lingering Concerns
Heightened Vigilance Advised: While the investigation unfolds, MediSecure advises potentially affected individuals to exercise heightened vigilance against phishing attempts, identity theft, and other cyber scams. Australians are encouraged to monitor their financial statements closely, be wary of unsolicited emails or calls, and leverage strong passwords across all online accounts. Additionally, the Australian Government’s dedicated webpage provides resources and guidance on protecting personal information and online accounts.
Long-Term Impact and Importance of Robust Cybersecurity: This unprecedented data breach exposes critical vulnerabilities in data security practices and raises concerns about the long-term impact on affected individuals. The potential for misuse of sensitive health information is significant, and the lack of immediate identification hinders proactive measures. This incident serves as a stark reminder for organizations handling sensitive data to invest in robust cybersecurity measures and prioritize user privacy.