Medical data breaches hit medical industry in Australia and overseas
May 17, 2024 |
The Health Industry is a keen target for cyber attacks. Hospitals, medical surgeries and health industry organisations collect vast amounts of personal and financial information on the one hand. On the other, the industry is notoriously prone to attack. In the United States Singing River Health System has been hacked with the records of 895,000 stolen while an attack on Ascension has resulted in Ambulances being diverted and EHRs taken off line. But it is Australia where one of the most significant attacks in the health industry has occurred. There has been a data breach at Medisecure, a company which provides electronic prescriptions and monitoring. There is good coverage by the Australian Financial Review which puts this attack in the context of large scale data breaches in Australia in the last year or so.
Given that Medisecure, a name that is deeply ironical today, is the only accredited electronic provider of prescription this is a potentially disastrous development.
As per usual in the Australian environment MediSecure has released a very brief (non) statement which provides:
MediSecure has identified a cyber security incident impacting the personal and health information of individuals. We have taken immediate steps to mitigate any potential impact on our systems.
While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors.
MediSecure takes its legal and ethical obligations seriously and appreciate this information will be of concern. MediSecure is actively assisting the the National Cyber Security Coordinator to manage the impacts of the incident. MediSecure has also notified the Office of the Australian Information Commissioner and other key regulators.
MediSecure understands the importance of transparency and will provide further updates via our website as soon as more information becomes available. We appreciate your patience and understanding during this time.
While most of the statement is pap what is relevant is that the breach came through a third party vendor. That is a common entrepot for major data breaches. Many organisations have not properly grappled with ensuring that third party operators which authorisations and access rights to their websites maintain proper data security.
The AFR article provides:
Australians’ medical data is at risk after hackers stole material and demanded a ransom from a company called MediSecure that managed millions of digital scripts a year.
The national cybersecurity co-ordinator disclosed on Thursday she was managing the fallout from the hack but did not name the company, which The Australian Financial Review revealed was MediSecure.
“Yesterday afternoon I was advised by a commercial health information organisation that it was the victim of a large-scale ransomware data breach incident,” Lieutenant General Michelle McGuinness said.
MediSecure, based in Melbourne and founded in 2009, ran one of the country’s two paperless script networks, which patients use to get drugs from pharmacies, until November last year. Exactly what was taken is unknown but between 2020 and 2023, doctors issued more than 122 million digital scripts across the platforms.
On Thursday, MediSecure’s website was down and its phone lines were out of operation. When the Financial Review visited its listed address in Melbourne – a co-working space – no MediSecure staff were present.
In a statement posted to its otherwise empty website after inquiries, the company said it had taken steps to limit damage from the hack that hit “personal and health information” and was working with authorities.
“While we continue to gather more information, early indicators suggest the incident originated from one of our third-party vendors,” the statement reads. “MediSecure takes its legal and ethical obligations seriously and appreciates this information will be of concern,” the company said, promising it would provide more updates.
Severe threat
Healthcare companies have been a frequent target of ransomware groups around the world, which claim they will delete stolen data or fix disabled computer systems in exchange for payment. The country’s largest not-for-profit hospital and aged care group St Vincent’s was hacked last year and insurer Medibank Private fell victim the year before that.
Cybersecurity analyst Jeremy Kirk said the sector was targeted because its companies had reasons to pay. “[Healthcare organisations] hold really sensitive data and the threat of releasing that data is often strong leverage to get an organisation to pay,” said Mr Kirk, of cybersecurity intelligence company Intel471.
Australia has been roiled by several major hacks in recent years, including on Optus, Medibank, Latitude Financial, law firm HWL Ebsworth and stevedore DP World. The MediSecure hack shows the threat remains severe despite government attempts to harden the country’s defences with greater industry collaboration, more support for business and higher levels of public spending.
The Australian Federal Police, Australian Cybersecurity Centre and Office of the Australian Information Commissioner are all looking into the breach under General McGuinness and Cybersecurity Minister Clare O’Neil.
There is now only one national network for publicly funded scripts, Telstra and the Pharmacy Guild’s eRX, which inherited data from MediSecure.
A Telstra spokeswoman said eRX and the national prescription network were unaffected. “These services continue to operate as usual and have not been impacted by any cyber incident,” the spokeswoman said.
No data appears to have been released online from the MediSecure hack and the hackers have not been identified publicly. Even when companies pay a ransom, sometimes files are not deleted or unencrypted as promised.
Former cybersecurity centre boss Alastair MacGibbon said with limited data publicly available people should not be too concerned. “Worrying may be unnecessarily or ineffectual,” said Mr MacGibbon, now chief strategy officer at consultancy CyberCX. Mr MacGibbon said it was too early to speculate on the identity of the hackers, but the government’s decision to confirm it was managing the hack was unusual.
“I guess in time that will unfurl as to why that has occurred,” Mr MacGibbon said.