Half of Australia’s population was exposed in the MediSecure breach, but victims might never know if they’re affected

Roughly half of the population of Australia was impacted by a cyber attack on MediSecure, an electronic prescription provider, but the firm says financial constraints mean it cannot confirm exactly who was impacted or what data was compromised.

According to a statement released by the firm, the attack affected approximately 12.9 million individuals who used the MediSecure prescription service between March 2019 and November 2023.

MediSecure said the initial attack took place in April 2024, when it discovered a database server had been encrypted in a suspected ransomware attack. The company disclosed the incident to customers in May.

On 17 May, the firm said it was able to successfully restore a complete backup of the server, and “took immediate steps to investigate the impacted information.”

The investigation indicated that 6.5 TB of data stored on the server was likely exfiltrated by the hackers, but the server in question could not be examined to pinpoint exactly what information was accessed .

According to analysis by cyber experts at McGrathNicol Advisory, the server consisted of an extremely large amount of semi-structured and unstructured data stored across a variety of datasets.

Although MediSecure was unable to specify exactly what data was accessed, it listed the kinds of information it believed were impacted by the incident, including a customer’s full name, title, date of birth, gender; email address , and phone number.

Individual healthcare identifiers (IHI), numbers associated with their Medicare plan, pension and healthcare cards, prescription medication , and reason for the prescription were also exposed.

Towards the end of May, a user of an underground hacking forum by the name of Angsar claimed to have the stolen data listing the information for a one time sale of $50,000.

The post stated the database contained phone numbers, addresses, email addresses, full names, insurance numbers, and sensitive information related to prescriptions, which aligns with the types of data MediSecure thought may have been exfiltrated.

The cache also includes usernames and passwords for the MediSecure website, a well as IP addresses of visitors to the site.

Angsar posted a number of screenshots to prove the authenticity of the data, which contained a range of prescription information and details of local pharmacies.

Australia’s national cyber security coordinator took to LinkedIn shortly after the hacker published the samples to warn citizens not to go looking for their stolen data on the dark web, which would only strengthen their business model.

“While this is an unwelcome development, I want to again assure Australians that if individuals are at risk of serious harm through the publication of their information, then we will work with MediSecure to make sure that individuals are appropriately informed, so they may take steps to protect themselves from any further risk to their personal information,” the group advised.

Financial difficulties mean MediSecure cannot confirm if user data was stolen

In addition to not being able to specify exactly what the hackers were able to steal, MediSecure said the complexity of the database made it impractical to identify and inform all of the individuals affected by the attack due to financial constraints .

“This made it not practicable to specifically identify all individuals and their information impacted by the Incident without incurring substantial cost that MediSecure was not in a financial position to meet,” the company said.

Shortly after disclosing the attack, which came not long after the firm lost out to its primary competitor in a battle to win a national prescription services contract,  the company announced it would be entering voluntary administration,

In May 2023, eRx Script Exchange was given exclusive tender for eScipt services in Australia, signing a four-year agreement worth $100 million, that would see eRx become the sole provider for the nation’s health department .

Realize the full value of an open hybrid cloud approach

As a result of losing out to eRx Script Exchange, and the recent cyber attack, the embattled prescription firm was forced to enter administration and liquidate its assets, and sought additional support from the Commonwealth in order to fund its response to the attack.

“MediSecure wishes to clarify that it sought funding from the Commonwealth Government for the limited and confined purpose of assisting with the costs associated with responding to the incident, and the request was not for funding MediSecure’s operational costs unrelated to the cyber-attack .”