Auditors unveil full scale of MediSecure breach
MediSecure has revealed its hack earlier this year was among the largest cyber breaches in Australian history, with over nearly 13 million affected from March 2019 to November 2023.
Medisecure was one of only two eScript providers in Australia until late last year, when competitor eRx took over the government contract to supply the entire market.
In April 2024 it discovered a database server had been encrypted by suspected ransomware. The company went into voluntary administration in June after the federal government declined to provide it with a financial bailout.
The results of an investigation into the breach undertaken by FTI Consulting have now been released.
The hacked server was restored however the report says the nature and volume of the data made the forensic analysis very complex and time-consuming. It required the support of cyber and forensic experts from McGrathNicol Advisory in collaboration with the National Cyber Security Coordinator and the National Office of Cyber Security (NOCS) of the Department of Home Affairs and the Department of Health and Aged Care (DOHA).
“MediSecure can confirm that approximately 12.9 million Australians who used the MediSecure prescription delivery service during the approximate period of March 2019 to November 2023 are impacted by this Incident based on individuals’ healthcare identifiers. However, MediSecure is unable to identify the specific impacted individuals despite making all reasonable efforts to do so due to the complexity of the data set.
“The impacted server analysed by McGrathNicol Advisory consisted of an extremely large volume of semi-structured and unstructured data stored across a variety of data sets. This made it not practicable to specifically identify all individuals and their information impacted by the Incident without incurring substantial cost that MediSecure was not in a financial position to meet.”
No credit card details were included in the breached data, although it did include detailed personal details including reasons for prescription and medication, name, date of birth, gender, email address and phone number. This was in addition to individual healthcare identifier (IHI) and details from Medicare card, Pensioner Concession card, Commonwealth Seniors card, Healthcare Concession card and Department of Veterans’ Affairs (DVA) (Gold, White, Orange) card.
National Cyber Security Coordinator Lieutenant General Michelle McGuinness has emphasised that current eScript services are not affected.
"There is no impact to the current national prescription delivery service, and people should keep accessing their medications and filling their prescriptions," said Lieutenant General McGuinness.