Woman holding medicine bottle showing data breach

MediSecure Data Breach Update Confirms 12.9 Million Records Stolen; Identification of Affected Individuals Difficult

Already plagued by massive data breaches in recent years, Australia looks to have a new entry in the list of top five largest in its history. An April breach of prescription provider MediSecure has been confirmed to have exposed about 12.9 million records, which would put it behind just the massive Canva breach of May 2019. A well-publicized breach of Latitude in 2023 did involve slightly more records overall, but these were mixed with customers from New Zealand.

The MediSecure data breach contains both personal information and details about prescription medications, though security experts say that this is not connected in a straightforward manner and it can be difficult to tie medical details to individual identities. National Cyber Security Coordinator Lieutenant General Michelle McGuinness has also said that the Australian government is not aware of the full dataset being published.

Update to April MediSecure data breach: Ransomware involved, 6.5 TB of data taken

MediSecure identified the data breach in April and disclosed it to the public in May. In early June, the company went into voluntary administration, with its subsidiary Operations MDS Pty Ltd. slated for liquidation.

An incident analysis has since determined that at least one of the company’s database servers was hit with ransomware, something that complicated recovery as a third-party firm had to be called in to assist with restoring from backups. The general lack of structure to the data sets may actually be helping to shield victims, however, as it can be difficult to tie details to individual identities. The government is presently having problems with notifying potential victims due to this issue.

The data breach included details on prescriptions such as the drug types and dosages issued, along with dates issued and patient conditions related to the prescription. However, accurately pairing this information with the included names and health identification numbers may well be difficult for the attackers if not impossible in some cases. The data breach contains prescription information from March 2019 to November 2023, but it is unclear if or when individuals might be contacted about exposed personal records.

McGuinness is advising Australians to be wary, however, as the criminals may take advantage of this uncertainty to send phishing or scam messages to names found in the database that purport to be government notifications of exposed records.

MediSecure breach joins list of Australia’s biggest, but total damage remains in question

The data breach is so massive in part because MediSecure was one of only two ePrescription services licensed by the government, something that changed in late 2023 (shortly after the period from which the stolen records are drawn) when officials opted to hand that license solely to Fred IT Group’s eRx Script Exchange. Authorities stress that eRx was not impacted by this incident at any point and remains safe to use.

MediSecure was thus already financially on the ropes well before the data breach happened, and the company’s status has exacerbated concerns about its ability to respond and remediate. Though the Australian government has said that it sees no sign of the full set of stolen data being leaked to the dark web, a sample was posted on an underground forum and the threat actors asked for $50,000 for the full set. There is not yet any indication of a sale being made.

Due to the technical specifics of the data breach, residents of Australia may get no indication that something is wrong until a scam attempt is made on them. This means being on heightened alert for unusual text messages, emails and calls, or even for unusual activity on credit reports. Unfortunately, this is all something that Australians are becoming used to after about two years of massive breaches of sensitive personal information seeming to roll in at least once every few months. This includes the Latitude, Optus and Medibank breaches of 2022 and 2023, all involving somewhere around 10 million records each.

Australia’s Department of Home Affairs is advising potentially impacted parties, those having prescriptions filled by MediSecure between 2019 and 2023, that they should not attempt to search for their leaked data online as that will likely contribute to the attacker’s capacity to abuse the information. It also advises that the leaked information cannot be used by itself to access Medicare, Pensioner Concession, Healthcare Concession, or Commonwealth Seniors accounts.

Still, those that are concerned about their information security can visit the Services Australia website to request replacement of their cards. The agency also urges that users take advantage of added security layers made available to secure these accounts: passkeys, a connected Digital ID or enabling multi-factor authentication. Suspected attempts at scams or phishing can also be reported to the Australian Competition and Consumer Commission’s National Anti-Scam Centre via its online “Scamwatch” program.