A major data breach at e-script provider MediSecure has left Australians wondering whether their sensitive health data has been breached – here’s everything we know so far.

Until late 2023, MediSecure was one of two prescription delivery services operating at a national scale in Australia – enabling people to have prescriptions delivered to a pharmacy of their choice.

While the current national prescription delivery service has since changed to another provider – eRx Script Exchange – MediSecure last week announced an unfolding cyber incident that affects Australians’ private information collected during its tender.

“We can confirm the cyber security incident impacts personal information and limited health information relating to prescriptions,” wrote MediSecure.

Described as a large-scale “ransomware data breach incident”, the Department of Home Affairs specified the incident has affected a “MediSecure database” containing prescription-related information.
Furthermore, government services agency Services Australia has issued early advice for those concerned over their healthcare card identifier details – such as Medicare or concession details.

“Your Medicare account cannot be accessed with your Medicare card number alone,” said Services Australia and Home Affairs.

“Unlike a scan or copy of a Medicare card, a Medicare card number by itself cannot be used as proof of identity.

“Services Australia is examining other potential impacts to individuals’ identity security associated with breached card numbers.”

On Saturday, MediSecure revealed the cyber incident also impacts “the personal information of healthcare providers”.

Meanwhile, the Department of Home Affairs has advised general practitioners, pharmacists and “other medical professionals” to direct potentially impacted patients to an information page specifically dedicated to the incident.

“We also ask you to advise your patients they can – and should – continue to fill their electronic and paper prescriptions and access their medications,” wrote Home Affairs.

“The current prescription delivery service is not affected, and health care providers can still prescribe and dispense as usual.”

Australia’s National Cyber Security Coordinator (the ‘Coordinator’) said the government is “looking closely” at whether any evidence suggests identity documents have been compromised in the breach, and is working closely with MediSecure, Services Australia and state and territory credential issuing bodies to “build a full picture” of the impacted dataset.

“If our investigation turns up any evidence to suggest Australians’ identities are at risk and they need to replace their documents, we will let them know,” said the Coordinator.

A delayed discovery?

Although the incident was first announced on 16 May, a statement from MediSecure suggests anonymous hackers may have initiated their attack more than six months ago.

“The cyber security incident relates to data held by MediSecure’s systems up until November 2023,” wrote MediSecure.

The Melbourne-based health company has not indicated when or how the attack occurred, though its statement suggests the data was impacted by November at the latest.

At the time of writing, MediSecure’s phoneline is unattended and it is unclear whether any of the company’s email addresses are monitored.

Information Age has reached out for comment regarding when the company first became aware of the incident, and whether or not the company received any ransom demands.

Neither MediSecure or the Coordinator have revealed the precise scale of the breach, but Australians received more than 143 million electronic prescriptions between 2020 and 2023.

Third party breach

Similar to the landmark 2022 data breach at health insurer Medibank, MediSecure said “early indicators” suggest the incident originated from one of its third-party vendors, though it did not name which vendor this may have been.

Mark Jones, senior partner at Thales Australia cyber security company Tesserent, said the incident highlights the importance of reviewing third parties' information risk management.

"It's important for organisations to protect sensitive information, safeguard intellectual property, maintain supply chain integrity, ensure compliance with regulations, and mitigate operational risks,” said Jones.

"Organisations should not only focus on internal controls, but also put a strong focus on managing their third-party suppliers and understand and assess the security risks they may pose.”

On 16 May, the Coordinator responded to the incident by convening the National Coordination Mechanism (NCM) – a national crisis management framework which was used during the COVID-19 pandemic, and later during responses to data breaches at Medibank and major ports operator DP World.

The NCM works to pull together government stakeholders and form a cohesive understanding of a given issue, and while typically reserved for large-scale events such as data breaches on critical infrastructure, on 17 May the Coordinator said there was “no evidence” to suggest an increased cyber threat to the medical sector based on “technical advice from MediSecure to date”.

The Coordinator also stressed the incident response is still in its “preliminary stages”, and information is “still being obtained”, while on the now-defunct business website of MediSecure, the company posted a statement saying it is “working very hard” to communicate with impacted individuals “as soon as possible”.

“We appreciate your continued patience, and we will provide further updates to the community when available,” said MediSecure.