Australian electronic prescriptions provider MediSecure has suffered a large-scale ransomware attack that exposed customers’ sensitive information.
“MediSecure has identified a cyber security incident impacting the personal and health information of individuals,” the company stated.
MediSecure and eRx are Australia’s only electronic prescription providers, having collectively dispatched more than 189 million medications since May 2020.
While Australia’s health department depends on eRx after the government signed a four-year deal worth $100 million, MediSecure remains a key provider for Australia’s private healthcare sector, which serves about 41% of the country’s population.
Ransomware attack on electronic prescriptions provider MediSecure leaked PII and PHI
On May 16, 2024, MediSecure said it detected a “cyber security incident” and took immediate steps to mitigate any potential impact on its systems.
The electronic prescriptions provider also notified the Office of the Australian Information Commissioner and engaged the National Cyber Security Coordinator, who was overseeing the government response. Cybersecurity Minister Clare O’Neil has also confirmed being notified of the MediSecure data breach.
While investigations were ongoing to determine the scope of the large-scale ransomware data breach, MediSecure has preliminarily confirmed that personal and health information was impacted.
“We can confirm the cyber security incident impacts personal information and limited health information relating to prescriptions,” the electronic prescriptions provider stated. “Additionally, this cyber security incident also impacts the personal information of healthcare providers.”
Excluding the most recent electronic prescriptions, MediSecure said the ransomware attack impacted data stored until November 2023.
“The cyber security incident relates to data held by MediSecure’s systems up until November 2023,” the company said.
Meanwhile, Australia’s cyber security coordinator, Lieutenant General Michelle McGuinness, has described the ransomware attack as significant but isolated. However, Lieutenant General McGuinness said there was no evidence to suggest that the threat actor had leaked the stolen information.
Subsequently, victims are not required to replace their identification documents or to take any immediate action until further instructed, which will happen in due course.
“If our investigation turns up any evidence to suggest Australians’ identities are at risk and they need to replace their documents, we will let them know,” the Coordinator said.
The Australian government, states, and territories were closely working with the Cyber Security Coordinator to determine which identities were at risk of compromise.
Although the threat actor’s identity remains undisclosed, MediSecure has reportedly received extortion demands. The electronic prescriptions provider was likely negotiating with the threat actor or withholding information to avoid undermining ongoing investigations.
However, Lt. Gen. McGuinness has discouraged ransom payment, warning that paying extortion funds cybercrime, creating a vicious cycle of cyber attacks while failing to guarantee data recovery.
“We do not recommend that anyone pays ransom — that just builds a cycle with the criminals,” she said.
Ransomware attack possibly a third-party breach
So far, the attack vector exploited during the MediSecure ransomware attack remains undisclosed. However, MediSecure has revealed that “early indicators suggest the incident originated from one of our third-party vendors.”
“Supply chain risks are becoming more prominent as attackers increasingly focus their efforts on smaller suppliers, who are often the weakest link,” said Stephen Gates, Principal Security SME, Horizon3.ai. “This fact poses a significant threat to the operational integrity and business continuity of buying and/or partnering organizations, making it a critical issue for CEOs, COOs, and CISOs to promptly address.”
So far, the number of impacted victims and the nature of information compromised in the MediSure ransomware attack is still under investigation.
“We are still working to build a picture of the size and nature of the data that has been impacted by this data breach impacting MediSecure,” McGuinness said.
Meanwhile, MediSecure has ruled out the possibility of patients losing access to medications and prescriptions as a result of the ransomware attack.
“MediSecure is not a current participant in Australia’s digital health network,” the company said. “As such, this cyber security incident does not impact the prescribing and dispensing of medication.”
While MediSecure had very limited detail to share, the electronic prescriptions provider said it was “working very hard to communicate with impacted individuals as soon as possible.”
Lt. Gen. McGuinness has warned that Australian healthcare organizations continue to face the persistent threat of cyber attacks, a trend also witnessed in the United States.
“We’d be naive to think we won’t continue to be targeted, particularly the health industry,” she said.
According to Camellia Chan, CEO of Flexxon, the MediSecure ransomware data breach “follows the trend of healthcare and public health agencies being targeted by cybercriminals.”
Chan also warned that the impacts of healthcare cyber attacks extend beyond financial losses and could directly impact patient care: “In this case, many patients could experience delays in receiving vital medication.”