MediSecure and its insolvency administrator, FTI Consulting, have ceased their investigation of a cyber attack in which a malicious third-party actor stole the personal and sensitive information, including contact and health information, of approximately 12.9 million Australians using the MediSecure prescription delivery service between March 2019 and November 2023.
In a July 18, 2024, statement, MediSecure confirmed that it sought funding from the Australian Government to assist with the costs of responding to the incident, but the Government declined the request. Given the limited financial resources of both entities and the costs involved in responding to the cyberattack, administrators were appointed to MediSecure Ltd and Operations MDS Pty Ltd on June 4, 2024.
MediSecure first became aware of the incident after discovering a database server had been encrypted by suspected ransomware in April 2024.
MediSecure secured its IT environment and began a forensic investigation into the relevant impact of the incident. The investigation indicated that 6.5TB of data stored on the server was likely exfiltrated by a malicious third-party actor. However, the encrypted server could not be examined to ascertain the information specifically accessed.
Nonetheless, given the impacted server likely included the personal and health information of potentially many individuals, MediSecure notified the incident to various authorities. MediSecure says it has since worked closely with the National Cyber Security Coordinator, the Australian Federal Police, the Australian Signals Directorate, and the Office of the Australian Information Commissioner, to respond to the incident in a way consistent with Australia’s national security interests and the community’s expectations.
On May 17, 2024, with the assistance of IT specialists, MediSecure successfully restored a complete server backup and took immediate steps to investigate the impacted information. The public were advised of the attack on May 16.
While now confirming the data concerning 12.9 million people was taken, MediSecure says it cannot identify the specific individuals despite making all reasonable efforts to do so due to the complexity of the data set.
“The impacted server analysed by McGrathNicol Advisory consisted of an extremely large volume of semi-structured and unstructured data stored across a variety of data sets,” the company’s July 18 statement reads. “This made it not practicable to specifically identify all individuals and their information impacted by the incident without incurring substantial cost that MediSecure was not in a financial position to meet.”
The analysis of the data can confirm that the kinds of information impacted by this incident includes:
- Full name;
- Title;
- Date of birth;
- Gender;
- Email address;
- Address;
- Phone number;
- Individual healthcare identifier (IHI);
- Medicare card number, including individual identifier, and expiry;
- Pensioner Concession card number and expiry;
- Commonwealth Seniors card number and expiry;
- Healthcare Concession card number and expiry;
- Department of Veterans’ Affairs (DVA) (Gold, White, Orange) card number and expiry;
- Prescription medication, including name of drug, strength, quantity and repeats; and
- Reason for prescription and instructions.
Both MediSecure and the Australia’s National Cybercrime Coordinator have requested that people not go looking for the data on the dark web.
“At this time, the Australian Government is not aware of publication of the full data set,” Australia’s National Cybercrime Coordinator Lieutenant General Michelle McGuinness said on social media this week. “No one should go looking for or access stolen sensitive or personal information from the dark web. This activity only feeds the business model of cyber criminals and can be a criminal offence.”
“Be on the lookout for scams referencing the MediSecure data breach, and do not respond to unsolicited contact that references the data breach experienced by MediSecure,” added McGuinness. “If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment or banking information you should hang up and call back on a phone number you have sourced independently.”
The cyber attack has not interrupted Australia’s national prescription delivery service.