The MediSecure data breach is an “isolated” attack with no impact on the current e-Priscription services, the Australian National Cyber Security Coordinator said on Friday. There is also no evidence of an increased cyber threat to the medical sector, she added.
After the electronic prescriptions provider MediSecure on Thursday reported being victim of a “large-scale ransomware data breach” that likely originated from a third-party vendor, Australia’s cyber chief, Lieutenant General Michelle McGuinness, said in an update the government was still “working to build a picture of the size and nature of the data that has been impacted by this data breach impacting MediSecure.”
“This discovery work often takes time and I understand Australians are anxious about the possibility of their personal information being affected,” the cyber chief said.
McGuinness said she convened the National Coordination Mechanism (NCM) with the National Emergency Management Agency on Thursday, which brings all relevant Government stakeholders together and ensures they are in-sync with the same information and understanding of the issue.
“The NCM allows us to achieve strong situational awareness and ensures that together, we’re best positioned to identify options available to the Australian Government to respond to the incident,” she added.
The cyber chief assured that the authorities were working at top pace to complete their investigation and would soon share information about what has been impacted. “We will share this with you – along with what affected people may need to do to protect themselves,” McGuinness said.
Timeline of the MediSecure Data Breach – So Far
The Australian National Cyber Security Coordinator first disclosed details of the MediSecure “large-scale ransomware data breach incident” on Thursday morning stating it impacted the personal and health information of individuals.
McGuinness said in a statement that her office was managing the fallout from the major hacking incident through a “whole-of-government response.”
“We are in the very preliminary stages of our response and there is limited detail to share at this stage, but I will continue to provide updates as we progress while working closely with the affected commercial organization to address the impacts caused by the incident,” said Cybersecurity coordinator Lieutenant General Michelle McGuinness.
McGuinness did not initially name the victim company but said it was a “commercial health information organization.”
Local media, however, later confirmed that the unnamed entity was MediSecure, which was at the center of the large-scale ransomware data breach announced by the National Cyber Security Coordinator.
The e-prescription provider MediSecure’s websites were down since Wednesday but the company on Thursday evening issued a statement acknowledging the cybersecurity incident which said that “early indicators suggest the incident originated from one of our third-party vendors.”
The company did not disclose the specifics like the number of people impacted, the type of information compromised and the threat actor behind the ransomware breach, but said the cybersecurity incident impacts “the personal and health information of individuals.”
McGuinness said the Australian Cyber Security Centre was aware of the incident and the Australian Federal Police was investigating it.
In a Friday update the cyber chief said that based on the preliminary investigation what the Government could confirm was that “no current ePrescriptions have been impacted or accessed.”
“The Department of Health has confirmed there has been no impact to the ePrescription services currently in use,” McGuinness said.
“On the basis of technical advice from MediSecure to date, the original compromise has been isolated and there is no evidence to suggest an increased cyber threat to the medical sector,” she added.
The investigators have not seen any evidence of identity documents been compromised in the breach. They are currently working with the company and other agencies “to build a full picture of the impacted dataset,” McGuinness said.
“We have not seen evidence so far to suggest that anyone needs to replace their Medicare card. If our investigation turns up any evidence to suggest Australians’ identities are at risk and they need to replace their documents, we will let them know.”
The Australian Medical Association was briefed Friday morning from the cyber chief’s office about the MediSecure data breach after it demanded a thorough and transparent investigation with clear and consistent communication to the public and the medical fraternity. “This is critical to maintaining community trust in the electronic systems that are now integral to the functioning of our health system,” the AMA had earlier said.
The AMA welcomed the formation of a National Stakeholder Group to support the government’s response.
MediSecure is Only One-of-Two
MediSecure is a prescription exchange service (PES), a kind of secure messaging system that specializes in transferring prescriptions between healthcare providers or doctors (prescribers) and the pharmacy (dispenser). It is only one of the two ePrescriptions providers in Australia that became prominent for issuing millions of electronic prescriptions when the Covid-19 pandemic began in 2020.
As of January 2024, more than 80,000 prescribers in Australia including general practitioners and nurses have issued over 189 million e-prescriptions.
The tender closed on 2 June 2022 and in May 2023, the department signed a 4-year contract for Fred IT’s.
The Department of Health last year shifted to a single provider – eRx supplied by Fred IT Group – in a four-year agreement that costed more than $100. As part of that agreement, eRx Script Exchange became the sole supplier of the national Prescription Delivery Service from July 1, 2023, which meant public healthcare providers and pharmacies were required to shift entirely from MediSecure to eRx ePrescriptions. MediSecure still provides prescription services to private providers.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.