The data breach at MediSecure, a former electronic prescription provider, has compromised the personal and limited health data of approximately 12.9 million Australians, with 6.5 terabytes of data stolen.
This breach, larger in scale than the recent Optus incident affecting up to 10 million people, was identified in mid-April and disclosed in May.
According to a detailed incident analysis, the breach involved the encryption of a database server by suspected ransomware.
The encryption complicated immediate assessment of the stolen data. It took a month, with external assistance, to fully restore a backup of the server, revealing a significant volume of semi-structured and unstructured data spread across various datasets.
The post-incident report indicated that pinpointing all affected individuals and their specific information would incur substantial costs, which MediSecure could not cover. The company entered voluntary administration shortly after the breach was made public.
MediSecure and assisting organisations confirmed that around 12.9 million Australians were impacted based on healthcare identifiers. However, the complexity of the dataset made it difficult to identify specific individuals affected, despite reasonable efforts.
The stolen data included personal information, government and health credential numbers, and details related to prescription medications, such as drug names, strengths, quantities, repeats, reasons for prescriptions, and instructions. The compromised data covers the period from March 2019 to November 2023.
National Cyber Security Coordinator, Lieutenant General Michelle McGuinness, said the Australian government is not currently aware of the full dataset being published.
“At this time, the Australian government is not aware of publication of the full dataset. No one should go looking for or access stolen sensitive or personal information from the dark web. This activity only feeds the business model of cyber criminals and can be a criminal offence,” she said. “I understand many Australians will be concerned about the scale of this breach. I encourage everyone, whether impacted in this incident or not, to be alert to being targeted in scams.”
Acknowledging the public’s concern over the breach, she urges everyone to remain vigilant against potential scams, regardless of whether they were directly affected by this incident.
“Be on the lookout for scams referencing the MediSecure data breach, and do not respond to unsolicited contact that references the data breach experienced by MediSecure. If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment, or banking information you should hang up and call back on a phone number you have sourced independently,” she said.