Medisecure reveals that data breach earlier this year resulted in the theft of personal information of 12.9 million Australians. That makes the need for proper reform of the Privacy Act even more urgent
July 19, 2024 |
The numbers used to be staggering. Thousands, then hundreds of thousands of records taken in this or that cyber attack. Now the administrator of Medisecure Ltd and the liquidators of Operations MDS Pty Ltd made a statement that the personal information of 12.9 million Australians has been compromised (fancy word for stolen). This prompted the Department of Home Affairs curating that statement into its own press release. This has been followed by reports on the ABC and the Guardian. As with many health related services the personal information collected is both voluminuous and comprensive. It included individuals:
- full name;
- title;
- date of birth;
- gender;
- email address;
- address;
- phone number;
- individual healthcare identifier (IHI);
- Medicare card number, including individual identifier, and expiry;
- Pensioner Concession card number and expiry;
- Commonwealth Seniors card number and expiry;
- Healthcare Concession card number and expiry;
- Department of Veterans’ Affairs (DVA) (Gold, White, Orange) card number and expiry;
- prescription medication, including name of drug, strength, quantity and repeats; and
- reason for prescription and instructions.
The administrator and liquidator’s statement relevantly provides:
Investigation of cyber security incident
MediSecure has ceased its investigation of the Incident, and provides the following details of the Incident in accordance with its obligations under the Privacy Act 1988 (Cth).
Under joint standing arrangement Operation Aquila, the Australian Federal Police (AFP) are investigating the Incident with support from the Australian Signals Directorate (ASD).
Nonetheless, MediSecure wishes to inform the public that the personal and sensitive information, including contact and health information, of approximately 12.9 million Australians who used the MediSecure prescription delivery service during the approximate period of March 2019 to November 2023 was contained within MediSecure data stolen by a malicious third-party actor.
MediSecure would like to reiterate it is not a current participant in Australia’s digital health network. At the time of the Incident, MediSecure did not have any connections to the prescribing and dispensing of medications. Australians can continue to access medicines safely, and healthcare providers can still prescribe and dispense as usual through the national prescription delivery service, eRx.
MediSecure has worked closely with the National Cyber Security Coordinator, AFP, ASD, and the Office of the Australian Information Commissioner, to respond to the Incident in a way consistent with Australia’s national security interests and the community’s expectations.
MediSecure implores individuals and organisations, including media organisations, not to look for the data on the dark web. You are encouraging the criminal activity that has led to this Incident and may further the potential harm to Australians impacted. You may also put yourself at risk of committing cybercrime and, importantly, it is an offence to deal in stolen personal information. Those who do face a penalty of up to 5 years’ imprisonment.
More information relating to the Incident and further resources available can be found below, as well as on the Department of Home Affairs website here: https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/cyber-coordinator/medisecure-cyber-security-incident.
Description of cyber incident and data breach
On 13 April 2024, MediSecure was made aware of the Incident when it was discovered a database server had been encrypted by suspected ransomware. MediSecure took immediate actions to secure its IT environment, identify the cause of the unauthorised access and the relevant impact.
MediSecure quickly secured its IT environment and began a forensic investigation into the relevant impact of the Incident. The investigation indicated that 6.5TB of data stored on the server was likely exfiltrated by a malicious third-party actor, however the encrypted server could not be examined to ascertain the information specifically accessed.
Nonetheless, given the impacted server likely included the personal and health information of potentially a large number of individuals, MediSecure notified the Incident to the Office of the Australian Information Commissioner (OAIC), and engaged with the National Office of Cyber Security (NOCS) of the Department of Home Affairs and the Department of Health and Aged Care (DOHA), as well as the ASD and AFP.
On 17 May 2024, with the assistance of IT specialists, MediSecure successfully restored a complete backup of the server and took immediate steps to investigate the impacted information. The nature and volume of the data however made the forensic analysis very complex and time-consuming. It also required the support of cyber and forensic experts from McGrathNicol Advisory in collaboration with the National Cyber Security Coordinator and NOCS.
Kinds of information concerned
MediSecure can confirm that approximately 12.9 million Australians who used the MediSecure prescription delivery service during the approximate period of March 2019 to November 2023 are impacted by this Incident based on individuals’ healthcare identifiers. However, MediSecure is unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the data set.
The impacted server analysed by McGrathNicol Advisory consisted of an extremely large volume of semi-structured and unstructured data stored across a variety of data sets. This made it not practicable to specifically identify all individuals and their information impacted by the Incident without incurring substantial cost that MediSecure was not in a financial position to meet.
The analysis of the data can confirm that the kinds of information impacted by this Incident includes:
-
- full name;
- title;
- date of birth;
- gender;
- email address;
- address;
- phone number;
- individual healthcare identifier (IHI);
- Medicare card number, including individual identifier, and expiry;
- Pensioner Concession card number and expiry;
- Commonwealth Seniors card number and expiry;
- Healthcare Concession card number and expiry;
- Department of Veterans’ Affairs (DVA) (Gold, White, Orange) card number and expiry;
- prescription medication, including name of drug, strength, quantity and repeats; and
- reason for prescription and instructions.
Further resources available
Whilst the Incident impacts a significant number of Australians, with regard to the government issued card numbers exposed:
-
- Medicare, Pensioner Concession, Healthcare Concession, and Commonwealth Seniors card numbers alone cannot be used as a proof of identity.
-
- Department of Veterans’ Affairs card numbers cannot be used to access personal information held by the Department of Veterans’ Affairs, or be used as a proof of identity.
Nonetheless, the types of information impacted may increase the likelihood of Australians being targeted by phishing, identity-related crime and cyber scam activities. It is therefore recommended that individuals that may be impacted by the Incident refer to the resources available outlined below.
Further information regarding the Incident and steps individuals can take to protect their personal information and online accounts is available at the National Cyber Security Coordinator’s dedicated webpage for the MediSecure cyber security incident found here: https://www.homeaffairs.gov.au/about-us/our-portfolios/cyber-security/cyber-coordinator/medisecure-cyber-security-incident.
Additional resources available include:
-
- OAIC: The Privacy Commissioner’s dedicated data breach support and resources are available here: https://www.oaic.gov.au/privacy/your-privacy-rights/data-breaches/data-breach-support-and-resources.
-
- IDMatch: Commonwealth, state and territory governments provide free guidance on how to protect government issued documents as a result of a data breach here: https://www.idmatch.gov.au/individuals/data-breach.
-
- Scamwatch: The National Anti-Scam Centre provides further information about phishing and how to recognise, avoid and report scams here: https://www.scamwatch.gov.au/.
-
- ASD: The Australian Signals Directorate’s Australian Cyber Security Centre provides advice and information about how to protect yourself online here: https://www.cyber.gov.au/.
-
- ReportCyber: Any individual can report a cybercrime or incident affecting them or someone they know by calling 1300 292 371 or online here: https://www.cyber.gov.au/report-and-recover/report.
-
- Mental health support: Call 000 in an emergency. A number of free government and community services provide online or by phone mental health support, or see your doctor.
- Lifeline – 13 11 14
- Kids Helpline – 1800 55 1800
- Mental Health Crisis Assessment and Treatment Team in your state/territory
- Beyond Blue – 1300 224 636
- MensLine – 1300 78 99 78
- SANE Helpline – 1800 187 263
- Headspace – 1800 650 890
- Mental health support: Call 000 in an emergency. A number of free government and community services provide online or by phone mental health support, or see your doctor.
Due to MediSecure’s financial position, it cannot include contact details in this statement as resources are not available to respond to phone calls or email inquiries by individuals that may be impacted by the Incident.
The Department of Home Affairs statement provides:
The Australian Government has been advised by MediSecure that approximately 12.9 million individuals may have had their personal and health information relating to prescriptions, as well as healthcare provider information exposed by a cyber security incident.
MediSecure has published a public notice on the nature and extent of the incident. See ?MediSecure’s statement on the cyber security incident.?
The affected data relates to prescriptions distributed by MediSecure’s systems up until November 2023.?
This service enabled prescriptions to be delivered from prescribers to a pharmacy of an individual’s choice (for paper and electronic prescriptions). Until late 2023, MediSecure was one of two prescription delivery services operating nationally.
In May 2023 the Australian Government finalised a tender for this service, awarded exclusively to another company, Fred IT Group’s eRx Script Exchange (eRx).
The national prescription delivery service, eRx, is not affected by this cyber incident. Consumers can continue to access medicines safely, and healthcare providers can still prescribe and dispense as usual.
Prescriptions continue to work as normal. People should keep accessing their medications and filling their prescriptions. This i?ncludes prescriptions (paper and electronic) that may have been issued up until November 2023.
What data has been compromised?
A MediSecure database containing the personal and health information of individuals relating to prescriptions, as well as healthcare provider information has been affected by this cyber security incident.
The affected data relates to prescriptions distributed by MediSecure’s systems up until November 2023.
A range of details associated with prescriptions may have been impacted. MediSecure’s analysis of the data has confirmed that the kinds of information impacted by this incident includes contact and health information.
Additional information on the data impacted by this breach can be found on MediSecure’s public notice at: MediSecure’s statement on the cyber security incident
Advice for individuals
What should I do if I think my data has been compromised?
You should be alert for scams, including those that reference the MediSecure data breach. We do not recommend responding to unsolicited contact about this matter.
You should also be wary of any unsolicited contact purporting to be a medical or financial service provider seeking payment or banking information. Hang up and call back on a phone number you have sourced independently.
You can learn how to protect yourself from scams by visiting the National Anti-Scam Centre’s (NASC) ScamWatch site, www.scamwatch.gov.au
If you believe your information has been misused as a result of this incident, report this to ReportCyber at cyber.gov.au.
Protecting my medical identification
Services Australia advises those who are concerned about details such as Medicare, Pensioner Concession, Healthcare Concession, and Commonwealth Seniors, that your accounts cannot be accessed with your card numbers alone.
Services Australia advises that individuals do not need to take any action related to their Pensioner Concession, Healthcare Concession, and Commonwealth Seniors cards.
While your Medicare account cannot be accessed with your Medicare card details alone, if you’re concerned about your Medicare card details, the easiest way to replace your Medicare card is by using your Medicare online account through myGov.
- You can visit Services Australia for helpful information about the steps you can take to replace your card
- If you want more information about the security of your Medicare, Centrelink and myGov accounts, please visit Protecting your personal information after a data breach for advice on how you can protect your personal information after a data breach.
Services Australia advises that customers should consider using the more secure methods to sign into their myGov account, such as:
- Passkeys that are a simple, fast way to sign in to your myGov account – a more secure sign in option than using a password.
- using a connected Digital ID, which can also prove who you are when you use online services.
- using a strong and unique passphrase, and multi-factor authentication, such as getting a code sent by SMS.
More information about how Services Australia protects information in the event of data breaches is available at Protecting your personal information after a data breach.
The Department of Veterans’ Affairs (DVA) advises that personal information cannot be accessed with a DVA file number alone, or be used as a proof of identity.
DVA advises that individuals do not need to take any action related to their Veteran, Pensioner Concession, and Commonwealth Seniors cards.
DVA is examining other potential impacts to individual identity security associated with breached card numbers.
More information about how DVA protects information in the event of data breaches is available on the DVA website.
Is there a risk my other medical records have been accessed?
There is no known risk to the current national prescription delivery service, eRx.
Additionally, digital systems supporting the Pharmaceutical Benefits Scheme, Medicare, Real Time Prescription Monitoring and My Health Record have not been impacted by this cyber security incident.
The impact of this incident continues to be assessed as isolated to MediSecure’s systems only.
There is no evidence to suggest there is an increased cyber threat to the medical sector.
Protecting my personal information
In any data breach involving sensitive personal information, it is essential that individuals can find proper support. The Office of the Australian Information Commissioner provides data breach support and resources on the OAIC website.
The IDMatch, a joint Australia, state and territory government initiative, provides guidance on how Australians can protect and remediate identity information. You can find clear, consistent guidance on how to protect identity information, how to minimise the likelihood and consequences of identity crime, and the steps to take to remediate compromised identities at the IDMatch website.
Identifying and reporting scams
The Australian Competition and Consumer Commission has established the National Anti-Scam Centre, to coordinate government, law enforcement and the private sector to combat scams. It operates Scamwatch, a service to support individuals to recognise, avoid and report scams.
Individuals can report suspected scams through to the National Anti-Scam Centre via Scamwatch through the National Anti-Scam website.
This website also hosts information to support individuals to protect themselves from scams and recognise the signs of a scam.
Phishing emails and texts
Phishing is a?way cybercriminals?trick you into giving them personal information. They do this by sending fake emails or text messages that look like they come from a person or organisation you trust. They may try to steal your online banking logins, credit card details or passwords. Phishing can result in the loss of information, money or identity theft.?
If you think you’ve been targeted by a phishing attack, visit the cyber.gov.au phishing advice page to understand the steps you should take.
How can I protect my information online?
As an individual there are steps you can take to protect your personal information and online accounts, particularly if you think any of your information, such as logins or passwords, have been caught in a data breach.
Three simple steps you can take to be more secure online are:
- Set up multi-factor authentication to add an extra layer of security to your online accounts.
- Create strong and unique passphrases of 14 or more characters long for every account.
- Install software updates regularly to keep your devices secure.
By incorporating these simple steps into your daily online activity, you can significantly improve your personal cyber security.
Learn the basic steps to protect yourself online at cyber.gov.au, the Australian Government’s trusted source of cyber security advice, and where you can receive the latest cyber information and advisories.
Identifying and reporting cyber security incidents
The Australian Signal’s Directorate’s Australian Cyber Security Centre (ASD’s ACSC) provides technical incident response advice and assistance to Australian organisations that have been impacted by a cyber security incident.
Cyber security incidents can be reported to the ASDs ACSC via the Australian Cyber Security Centre Hotline on 1300Cyber1 (1300 292 371) or online at ReportCyber.
Mental health support
We understand some people may feel distressed following a data breach.
Data breaches involving sensitive personal information can have an impact on mental health. It is essential that individuals can find proper support if they feel worried, anxious or depressed due to the impacts of a data breach.
As a first step, seek online or phone support, or see your doctor.
Head to Health
Anyone in Australia can call the Head to health phone service on 1800 595 212 where you can speak with a mental health professional who will listen and work with you to get the support you need – whether that’s advice, information or referral into an appropriate mental health service.
You can also access a range of support services and resources through the Head to Health website. You will find information, advice and links for free and low-cost mental health services.
Medicare rebate for mental health services
You can also access Medicare-subsidised mental health services if you or someone you know is experiencing distress or mental health concerns. Eligible people can currently receive Medicare rebates for up to 20 individual and 10 group mental health services per calendar year. Anyone that thinks they may be in need of extra support can speak to their GP, or another referring practitioner.
Find out more about the Better Access initiative.
Support for young people
Young people are particularly susceptible to mental health issues following traumatic events. Ongoing mental health problems can result in poorer educational outcomes and a loss of sense of stability and safety.
The Government provides funding to Headspace to support young people aged 12-25 experiencing, or at risk of experiencing mild to moderate mental illness. A list of headspace services, including online services can be found at Headspace.
Support for international students
International students and their dependants can also access subsidised mental health services under their Overseas Student Health Cover (OSHC). Policy holders can receive OSHC rebates from their insurer for mental health services where there is a corresponding Medicare Benefits Schedule (MBS) item and they are referred by a GP. Anyone that thinks they may be in need of extra support can speak to their GP, or another referring practitioner.
Advice for general practitioners, pharmacists or other medical professionals
What advice should I give to my patients who may be impacted?
If you have a patient concerned that their information has been breached, direct them to this information page. We also ask you to advise your patients they can – and should – continue to fill their electronic and paper prescriptions and access their medications.
The current prescription delivery service is not affected, and health care providers can still prescribe and dispense as usual.
What action should I take if I think my Medicare Provider Number (MPN) or PBS prescriber number has been impacted?
MPNs and PBS prescriber numbers are already publicly available numbers that are printed on invoices, health certificates and patient referrals.
An MPN and PBS prescriber numbers is not enough information for a third party threat actor to access Medicare records or claiming systems. These claiming systems include security measures to prevent unauthorised access. Online channels and our telephony channels are protected by proof of record ownership processes.
If a health professional is notified that their MPN or PBS prescriber number has been exposed, they don’t need to request a new one.
Are there any extra precautions I need to take?
Following any data breach in the healthcare sector, healthcare providers should be especially vigilant when being asked to send sensitive healthcare information over the phone, email or fax.
This could require healthcare providers to call patients back on their known contact details, or ask identifying questions that you wouldn’t expect to find contained on a prescription.
The ABC article provides:
About 12.9 million Australians had their data stolen in the MediSecure hack earlier this year, the eScripts provider has revealed, placing it among the largest cyber breaches in Australian history.
MediSecure, which facilitates electronic prescriptions and dispensing, confirmed in May it was the victim of a ransomware attack, although the theft itself took place earlier, and continued until November 2023.
The company had not previously disclosed how many Australians were affected, and has not contacted people individually.
Medisecure was one of only two eScript providers in Australia until late last year, when competitor eRx took over the government contract to supply the entire market.
The company went into voluntary administration in June after the federal government declined to provide it with a financial bailout.
Medisecure’s statement, released late yesterday, explained that the cost has hampered its response to the attack.
“MediSecure is unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the data set,” it said.
It added that doing so would have come at a “substantial cost that MediSecure was not in a financial position to meet”.
“By the time this breach happened, MediSecure had lost its main source of revenue,” said Katherine Mansted, Director of Cyber Intelligence for security firm CyberCX.
“That, of course, has complicated the response to this incident,” she said.
“This is an entity that doesn’t necessarily have the incentive or the revenue profile to really ‘grip this incident up’, as perhaps we’ve seen with other major incidents in Australia in the past.”
In a statement released late Thursday afternoon, MediSecure gave details about the kinds of data stolen, including full names, phone numbers, dates of birth, home addresses, Medicare numbers, and Medicare card expiry dates.
The 6.5 terabytes of data also included some sensitive health information, such as which medications people were prescribed, the name of the drug, dosage, the reason for their prescription, and instructions for taking the medication.
Credit card details were not exposed in the breach.
Where is the data now?
There’s no indication the trove has been published in full, but the government and law enforcement, including the Australian Federal Police, are continuing to monitor for it.
A tiny sample of the data was published on a dark web forum following the hack, and the larger data set was listed as being for sale, for $50,000.
It’s not clear whether the data was sold, but it’s considered likely.
“Once the data genie is out of the bottle, it’s impossible to get that data back”, Ms Mansted said.
If the data set was in fact bought, it’s also possible the buyer was a security entity, and not a cyber criminal, according to analysts.
Nevertheless, Australians are being told to watch out for scams referencing the MediSecure data breach, and not to respond to unsolicited contact that mentions the incident.
National Cyber Security Coordinator Lieutenant General Michelle McGuinness released a statement on X.
“If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment or banking information, you should hang up and call back on a phone number you have sourced independently.”
In light of the Optus and Medibank breaches in 2022 and the breach of financial services company Latitude last year affecting 14 million people, authorities now believe most Australians have been exposed in some way, and some several times over.
Lieutenant General McGuinness warned Australians not go looking for the dataset online.
“I understand many Australians will be concerned about the scale of this breach,” she said.
“This activity only feeds the business model of cyber criminals and can be a criminal offence.”
She is also reassuring Australians that current eScript services are not affected.
“There is no impact to the current national prescription delivery service, and people should keep accessing their medications and filling their prescriptions,” said Lieutenant General McGuinness.
The Guardian article provides:
MediSecure reveals about 12.9 million Australians had personal data stolen by hackers in April
Company says it is unable to identify specific individuals affected by one of the largest breaches in Australian history
The electronic prescriptions provider MediSecure has revealed 12.9 million people, or almost half of the whole country, had their personal and health data stolen by hackers earlier this year in one of the biggest breaches in Australian history.
On April 14 MediSecure, which facilitates electronic prescriptions and dispensing, became aware a database server had been encrypted by suspected ransomware.
The company had previously not said how many people had been affected by the breach, but on Thursday the provider’s administrators released an update revealing millions of Australians have had their data stolen, though the company could not identify exactly who has been affected.
“MediSecure can confirm that approximately 12.9 million Australians are impacted by this incident based on individuals’ healthcare identifiers,” administrators FTI Consulting said in a statement.
“However, MediSecure is unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the data set.”
The company said the data included details such as full names, phone numbers, home addresses, Medicare numbers and the medications people were prescribed.
In total, 6.5 terabytes of data were taken by hackers, which is the equivalent of billions of pages of text.
“This made it not practicable to specifically identify all individuals and their information impacted by the incident without incurring substantial cost that MediSecure was not in a financial position to meet,” the administrators said.
“The investigation indicated that 6.5TB of data stored on the server was likely exfiltrated by a malicious third-party actor, however, the encrypted server could not be examined to ascertain the information specifically accessed.”
The National Cyber Security coordinator lieutenant general, Michelle McGuinness, said in a statement that there was no effect on prescriptions.
“People should keep accessing their medications and filling their prescriptions,” McGuinness said.
McGuinness said the government did not believe the full data set had been published on the dark web and warned against people going looking for it.
Our Australian morning briefing breaks down the key stories of the day, telling you what’s happening and why it matters
“I understand many Australians will be concerned about the scale of this breach,” she said. “This activity only feeds the business model of cyber criminals and can be a criminal offence.”
McGuinness also warned people against scammers who may use their data to contact them.
“If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment or banking information, you should hang up and call back on a phone number you have sourced independently.”
MediSecure was one of two ePrescription services until late 2023, when the Australian government awarded the service exclusively to another company, Fred IT Group’s eRx Script Exchange.
MediSecure appointed liquidators and went into administration in June and is not part of Australia’s digital health network.
The national prescription delivery service, eRx, is not affected by this cyber incident, the government confirmed.