Almost 13 million Australians had their personal medical information leaked online when electronic prescription provider MediSecure was hacked in April, data released by the company has revealed.
An investigation commissioned by MediSecure’s liquidators – after the company declared insolvency last month – has found 12.9 million people had personal information stolen in the 14 April cyberattack.
The attack has gone down as one of the largest data breaches in Australian history after 6.5 terabytes of data was accessed. But frustratingly, the investigation was unable to uncover exactly who is affected.
FTI Consulting, which conducted the investigation, said in a statement last Thursday that it was “unable to identify the specific impacted individuals despite making all reasonable efforts to do so”.
It said the complexity of the data set meant any further investigation would be prohibitively expensive.
“This [the complexity] made it not practicable to specifically identify all individuals and their information impacted by the incident without incurring substantial cost that MediSecure was not in a financial position to meet,” the statement reads.
The full 6.5 terabyte database was then found on a Russian hacking forum a week after the attack, being offered for sale for US$50,000, Cyber Daily reported.
What was taken?
The investigation may not have been able to identify who has been affected, but it was able to confirm what types of personal health information was compromised.
Affected info categories include: full name; title; date of birth; gender; email address; address; phone number; individual healthcare identifier; Medicare card number, including individual identifier, and expiry; Pensioner Concession card number and expiry; Commonwealth Seniors card number and expiry; Healthcare Concession card number and expiry; Department of Veterans’ Affairs card number and expiry; prescription medication, including name of drug, strength, quantity and repeats; and reason for prescription and instructions.
They also confirmed the affected data relates to the period between March 2019 and November 2023.
The post from the hacker offering the data for sale also provides clues on what was taken, but whether the poster is telling the truth can’t be confirmed.
“[Database] Includes information on citizens, insurance numbers, phone numbers, addresses, full names, supplier information, contractor information, emails, user+passwords for MedSecure [sic] website, prescription information (who was prescribed what), IP addresses of visitors to the site and etc,” the post reads.
How to tell if you’ve been affected – and what to do
Although it has so far been impossible to identify individuals affected, 12.9 million people is almost half the Australian population, so it might be safer to assume you have been compromised and take appropriate precautions.
Before declaring insolvency, MediSecure was one of only two companies providing electronic prescription services – or eScripts – in Australia, the other being eRx.
If you’ve ever received a refill on a prescription via text message, this is the kind of service these types of companies provide.
The federal government’s national cyber security coordinator Michelle McGuiness said in a post on X (formerly Twitter) to be vigilant when it came to any unsolicited offers you might receive.
“Be on the lookout for scams referencing the MediSecure data breach, and do not respond to unsolicited contact,” her post reads.
“If contacted by someone claiming to be a medical or other service provider, including financial service provider, seeking personal, payment or banking information you should hang up and call back on a phone number you have sourced independently.”
Services Australia reassured concession card holders that their accounts can’t be accessed with card numbers alone.
“Services Australia advises that individuals do not need to take any action related to their Pensioner Concession, Healthcare Concession, and Commonwealth Seniors cards,” the agency said in a statement.
“While your Medicare account cannot be accessed with your Medicare card details alone, if you’re concerned about your Medicare card details, the easiest way to replace your Medicare card is by using your Medicare online account through myGov.”
Do you receive scripts electronically? Should the government do more to identify who was affected? Let us know in the comments section below.
Also read: Telstra publishes details of more than 140,000 silent numbers, AFCA finds
