Data about 12.9 million Australians who used the prescription delivery service of MediSecure has been breached during a ransomware attack in April, the company has announced.
MediSecure became aware of the attack on April 13, 2024, when it discovered that a database server had been encrypted by suspected ransomware. Investigations then showed that 6.5TB of data was “likely exfiltrated by a malicious third-party actor”, and that the affected server was was holding an “extremely large volume of semi-structured and unstructured data stored across a variety of data sets.”
Personal and medical data
The hack affected customers who used MediSecure’s prescription delivery service between March 2019 and November 2023. The leaked information included:
- full name;
- title;
- date of birth;
- gender;
- email address;
- address;
- phone number;
- individual healthcare identifier (IHI);
- Medicare card number, including individual identifier, and expiry;
- Pensioner Concession card number and expiry;
- Commonwealth Seniors card number and expiry;
- Healthcare Concession card number and expiry;
- Department of Veterans’ Affairs (DVA) (Gold, White, Orange) card number and expiry;
- prescription medication, including name of drug, strength, quantity and repeats; and
- reason for prescription and instructions.
Even though MediSecure managed to restore a complete backup of the server, the company says that it is not possible to specify exactly how each customer has been affected “due to the complexity of the data set.”
While some information such as Medicare, Healthcare Concession, Pensioner Concession, and Commonwealth Seniors card numbers alone cannot be used as a proof of identity, MediSecure still warns that some might use the information to identity-related crime and cyber scam activities.
Due to the potential seriousness of the breach, which the National Cyber Security Coordinator called a “large-scale ransomware data breach”, MediSecure notified the incident to the Office of the Australian Information Commissioner. It also engaged with the National Office of Cyber Security of the Department of Home Affairs and the Department of Health and Aged Care, as well as the Australian Signals Directorate and the Federal Police.